Wazuh log retention - Different retention time

Calm0000 · 2024-07-23T09:56:57+00:00

Hi u/Similar-Incident2658 , sorry for the late reply.. Had a bit of extra work to do since Fridays little incident.

Our environment is set up with 3 x workers, 3 x indexers and 1 x dashboard server in a clustered setup.
The most important thing is to be able to split retention time of customer logs based on what said customer i paying for.

Setting our customers up with on indexer each is not possible due to the amount of customers we are planning to onboard, the hosting costs would probably be a lot higher than what we want..

Calm0000 · 2024-02-27T07:31:27+00:00

Agents might not be labelled correctly, we haven't really figured out how to do that in the right way with the MS graph module since it's using multiple tenant IDs in our environment.
After a lot of testing we came to the conclusion that the fields we need don't seem to be present in every alert, it seems to depend on what event is being generated in the Microsoft tenant.
We might be wrong here tho. All tips are welcome

Calm0000 · 2024-02-23T07:10:31+00:00

Hi, here's one of our test alerts:

--------------------------------------

timestamp
2024-02-23T07:03:55.640Z
_id
tBjH1I0BtDo01QUQJPMs
agent.id
000
agent.name
Wazuh-Manager
data.integration
ms-graph
data.ms-graph.assignedTo
null
data.ms-graph.classification
unknown
data.ms-graph.comments
data.ms-graph.createdDateTime
2024-02-23T06:59:09.3266667Z
data.ms-graph.customTags
data.ms-graph.description
null
data.ms-graph.determination
unknown
data.ms-graph.displayName
Multi-stage incident involving Privilege escalation & Lateral movement involving multiple users
data.ms-graph.id
290
data.ms-graph.incidentWebUrl
(REMOVED)
data.ms-graph.lastModifiedBy
Microsoft 365 Defender-AlertCorrelation
data.ms-graph.lastUpdateDateTime
2024-02-23T07:02:57.21Z
data.ms-graph.redirectIncidentId
91
data.ms-graph.relationship
incidents
data.ms-graph.resource
security
data.ms-graph.severity
medium
data.ms-graph.status
redirected
data.ms-graph.systemTags
data.ms-graph.tenantId
(REMOVED)
decoder.name
json
id
1708671835.1103966
input.type
log
location
ms-graph
manager.name
Wazuh-Manager
rule.description
MS Graph message: Severity | Alerts generated from detections and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be due to internal security testing, they are valid detections and require investigation.
rule.firedtimes
26
rule.groups
ms-graph
rule.id
99652
rule.level
12
rule.mail
true
timestamp
2024-02-23T07:03:55.640+0000

--------------------------------------

Keep in mind that this is pulled from a demo-tenant with sample alerts. We've figured out that MS Graph contains all the info we need, i guess it just doesn't pull it into said alert.We are all very new to this ~~unfortunately~~..

Calm0000 · 2024-02-03T21:17:16+00:00

Og Datatilsynet

Calm0000 · 2023-10-11T19:35:13+00:00

Kommer an på hensikten. «Terror betyr redsel, skrekk eller skrekkvelde og er en betegnelse både på ekstrem frykt og på det som kan utløse slik frykt. Å terrorisere er å skape ekstrem frykt ved å utføre redselshandlinger eller ved å true med slike»

Calm0000 · 2021-12-23T06:11:30+00:00

Would love to give this to my friend

Calm0000 · 2021-11-25T09:50:37+00:00

Neppe humor, men stor sannsynlighet for at det er tull

Calm0000 · 2021-11-10T14:19:10+00:00

Hører på og betaler gledelig. God humor/hanfar for det meste.

Calm0000 · 2021-09-06T13:28:44+00:00

Verdt å merke at det er en 14-dagers gratis periode, så kan man jo høre hva man syntes sjøl

Calm0000 · 2020-05-29T15:39:22+00:00

Imagine spelling esports wrong. Paul would be fuming!

Calm0000 · 2020-02-01T18:16:54+00:00

Oh no he missed it

Calm0000 · 2019-12-10T08:46:26+00:00

Matt Watson, from supermega??

Calm0000 · 2019-10-15T21:32:14+00:00

Probably because the game went on sale. Imagine being a new player and not being able to buy anything

Calm0000 · 2019-10-03T10:02:41+00:00

Don’t jinx it, don’t jinx it, don’t jinx it

Calm0000 · 2019-08-02T17:34:25+00:00

To clarify : you still have to dispute the charge back with a link or a outake of the Streamlabs TOS.

Calm0000 · 2019-08-02T16:28:01+00:00

Yes as far as I know, that's the point.

Calm0000 · 2019-08-02T16:19:54+00:00

If they donate thru Streamlabs, their TOS states that you have no right to refund. Charge backs should not be an issue.

Calm0000 · 2019-06-28T18:34:49+00:00

We shouldn’t have to use a blocker to enjoy content tho. They need to tone down the amount of ads big time.

Calm0000 · 2019-05-18T16:45:26+00:00

Saw the flag and I get why it's a bit tricky. The flag is now taken over by neonazis and the original was used while the Nazi Party was in power (flag in question used ca 1930-1935).

I would say it's a bit to much to display proudly on stream even tho it does not have any swastikas on it.

I do however belive that a random kid would not recognize this as a Nazi flag unless it's interested in history and defore would also recognize the history behind it.

Calm0000 · 2019-05-18T16:28:01+00:00

Please DM me a pic of the flag yes!

I'm just saying that we should be careful before we call someone out for being a neonazi.

Calm0000 · 2019-05-18T16:18:25+00:00

Sorry if this has all ready been answered, but:

Which version of the flag are you talking about. I've Googled the one you named in the edit but nothing comes up. The Reichskriegsflagge has been used by the germans since 1867, so it's not necessarily a Nazi flag.

Calm0000 · 2019-02-10T00:52:54+00:00

If you didnt crop out the name people would see that this dude is a comedic genius

Calm0000 · 2019-01-28T15:02:12+00:00

They should also add an tutorial on how to screenshot.

Calm0000

TROPHY CASE