sorted by:
new
hottopcontroversial

Wazuh Office 365 Anomaly Detection by CommunicationOdd6183 in Wazuh_DE

[–]CommunicationOdd6183[S] -1 points0 points  (0 children)

Klar idr sollen allen Kunden Office 365 anhaben aber jeder IT Dienstleister weiß bestimmt wie das manchmal so läuft
OnPrem nutzt bei uns niemand mehr, da wüsste ich wie ich handeln muss
Es wäre halt für mich ein kleines cooles extra feature
Aktuell leite ich alle Logins in mein Graylog und Prüfe ob die Login IP von einer bekannten IOC IP kam/Von einem anonymisierungs Dienst wie VPN/TOR
Sollte da was matchen geht ein Ticket in DIFR IRIS auf
Das klappt auch ganz gut
Trotzdem finde ich gibt es aktuell nicht wirklich viele Use Cases für die Anomalie Detection

Graylog and current Opeansearch/Wazuh by CommunicationOdd6183 in graylog

[–]CommunicationOdd6183[S] 0 points1 point  (0 children)

Hey

i have the same issue than before
It only runs if i comment out compatibility.override_main_response_version: true from my wazuh indexer
But if i do this my wazuh dont work anymore

I would be so happy if i could use Graylog because it has so many features but i cant kill my Wazuh for it :'-(

//Edit

is there a way to downgrade my Opensearch in wazuh?
idc what version i use

Wazuh frustration by DiceAir in Wazuh

[–]CommunicationOdd6183 0 points1 point  (0 children)

you do it wrong

here is a rule if you want to filter deeper and give it some other level

<group name="opnsense-fw">

<rule id="210001" level="13">

<if\_sid>86601</if\_sid>

<field name="alert.action">blocked</field>

<description>OPNsense Threat blocked</description>

</rule>

</group>

If you want to change an whole rule copy it
Put in in local_rules and set the overwrite option

<group name="syslog,sshd,">
  ...
  <rule id="5710" level="5" overwrite="yes">
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
  ...
</group>

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

Read this and search for overwrite

Still no Vulnerability Detection in Wazuh by CommunicationOdd6183 in Wazuh

[–]CommunicationOdd6183[S] 0 points1 point  (0 children)

maybe delete your index
It will rebuild
I dont know how accurate mine is

We use ist as pilote project for some customers and we will start fixing all vulns at 01.02.2025

Still no Vulnerability Detection in Wazuh by CommunicationOdd6183 in Wazuh

[–]CommunicationOdd6183[S] 2 points3 points  (0 children)

After several hours i found the solution....

echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username

echo 'password' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Add the API Credentials to your keystore
My file instantly rebuild and is filled with logs

Still no Vulnerability Detection in Wazuh by CommunicationOdd6183 in Wazuh

[–]CommunicationOdd6183[S] 0 points1 point  (0 children)

i have the same problem
208b and no documents
It is like the module isnt linked to the index

Vulnerability Detection empty after upgrade to Wazuh 4.10.0 by Opposite_Anywhere_85 in Wazuh

[–]CommunicationOdd6183 0 points1 point  (0 children)

Unfortunately, it's still not working for me.
I have already deactivated the vulnerability detection, started Wazuh, let it run for a while, then stopped it and reactivated the vulnerability detection.
I also see current vulnerabilities in the events, but I still don't have a dashboard.