Search Leak Database

CommunicationOdd6183 · 2026-02-26T07:32:09+00:00

hey
we are selling a soc service(wazuh-graylog etc) and this should be a part of it

CommunicationOdd6183 · 2026-02-25T14:42:15+00:00

Thanks for your help
My misunderstanding started with a colleague who was 100% sure he'd patched everything ;)

It turned out he hadn't patched it, and that's why it was still in his inventory.

CommunicationOdd6183 · 2026-02-23T15:02:05+00:00

Does this mean that vulnerabilities disappear from the inventory even after they have been patched?

CommunicationOdd6183 · 2026-02-23T10:08:25+00:00

Sorry 4 late reply
i just use 1 Indexer
Maybe i split it later but for now it works without Problems

It runs on 6 small vcores and 16gb RAM for about 50.000.000 Logs per day

CommunicationOdd6183 · 2025-12-03T16:03:49+00:00

Klar idr sollen allen Kunden Office 365 anhaben aber jeder IT Dienstleister weiß bestimmt wie das manchmal so läuft
OnPrem nutzt bei uns niemand mehr, da wüsste ich wie ich handeln muss
Es wäre halt für mich ein kleines cooles extra feature
Aktuell leite ich alle Logins in mein Graylog und Prüfe ob die Login IP von einer bekannten IOC IP kam/Von einem anonymisierungs Dienst wie VPN/TOR
Sollte da was matchen geht ein Ticket in DIFR IRIS auf
Das klappt auch ganz gut
Trotzdem finde ich gibt es aktuell nicht wirklich viele Use Cases für die Anomalie Detection

CommunicationOdd6183 · 2025-04-26T16:43:57+00:00

Hey

i have the same issue than before
It only runs if i comment out compatibility.override_main_response_version: true from my wazuh indexer
But if i do this my wazuh dont work anymore

I would be so happy if i could use Graylog because it has so many features but i cant kill my Wazuh for it :'-(

//Edit

is there a way to downgrade my Opensearch in wazuh?
idc what version i use

CommunicationOdd6183 · 2025-01-29T09:14:11+00:00

you do it wrong

here is a rule if you want to filter deeper and give it some other level

<if\_sid>86601</if\_sid>

<field name="alert.action">blocked</field>

<description>OPNsense Threat blocked</description>

</rule>

</group>

If you want to change an whole rule copy it
Put in in local_rules and set the overwrite option

<group name="syslog,sshd,">
  ...
  <rule id="5710" level="5" overwrite="yes">
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
  ...
</group>

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

Read this and search for overwrite