Improve GeoIP and composite rule support for AWS events #91
Conversation
This copies the 'aws.sourceIPAddress' and 'aws.userIdentity.userName' fields to the standard static fields 'srcip' and 'user', so that 'srcip' can be used in Wazuh GeoIP lookups and <same_user /> and <same_source_ip /> can be used in composite rules.
|
We think that the best way to standardize the fields is using Logstash. We already included the aws.sourceIPAddress in Logstash by default: https://github.com/wazuh/wazuh/blob/master/extensions/logstash/01-wazuh-remote.conf#L18. Feel free to send a PR for Logstash configuation instead of this script. Thanks! |
|
Hi @jesuslinares , While good for other reasons, leaving the standardization of these CloudTrail field names to be done by Logstash does not solve the problem of ossec-analysisd being unable to use <same_source_ip /> and <same_user /> on CloudTrail events. Perhaps the better way to solve that problem is to make ossec-analysisd support dynamic field names in composite rule <same_...> constructs instead of limiting that feature to 6 static field names. For example something like this: Kevin |
|
You are right. We need to upgrade the <same*>_ feature to allow dynamic fields. Let me review your changes. Thanks. |
|
Thanks Jesus, While you are at it, it would probably make sense to add dynamic field support for the <different*>_ feature as well, since it is so closely related to <same*>_. Kevin |
|
It is merged. I opened an issue with the feature request. Thanks. |
This copies the 'aws.sourceIPAddress' and 'aws.userIdentity.userName' fields to the standard static fields 'srcip' and 'user', so that 'srcip' can be used in Wazuh GeoIP lookups and <same_user /> and <same_source_ip /> can be used in composite rules.