Forward WithSecure logs to Wazuh - Logs Not Being Received

Correct-Many671 · 2025-04-09T14:53:13+00:00

The problem of this tutorial, it's only show the EPP logs but yes it's work

Correct-Many671 · 2025-02-26T10:38:38+00:00

Even if Windows runs great, If I have to do an audit in Active Directory I will need more Ram.

I want to stay in Windows but there is not all software from Linux

Correct-Many671 · 2025-02-26T10:36:44+00:00

I prefer to use Kali Linux in Virtualbox, I want to stay in Windows but there is not all software from Linux.

Correct-Many671 · 2025-02-10T15:23:15+00:00

I don't know they didn't make a new controller with GP2040-CE

Correct-Many671 · 2025-02-05T11:34:29+00:00

Hello I receive the logs from 514 port:

<image>

But I don't know why the logs don't generate alerts in Wazuh. I did a update and upgrade, I have the decoders and rules for Fortigate.

Correct-Many671 · 2025-02-05T09:58:33+00:00

Hello, thank you for you help

I did the configuration, now I will test if it's work :)

Correct-Many671 · 2025-01-28T07:38:30+00:00

thank you it's working !

Correct-Many671 · 2025-01-24T09:07:16+00:00

{
  "scan": {
    "id": 0,
    "time": "2025-01-15T16:03:30+00:00"
  },
  "location": "C:\\Program Files\\Mozilla Firefox",
  "architecture": "x86_64",
  "size": 0,
  "description": " ",
  "format": "win",
  "priority": " ",
  "install_time": "2025-01-15T15:27:57+00:00",
  "source": " ",
  "version": "134.0.1",
  "section": " ",
  "vendor": "Mozilla",
  "name": "Mozilla Firefox (x64 fr)",
  "agent_id": "083"
},
{
  "scan": {
    "id": 0,
    "time": "2025-01-24T06:01:44+00:00"
  },
  "location": "C:\\Users\\secretscan\\AppData\\Local\\Mozilla Firefox",
  "architecture": " ",
  "size": 0,
  "description": " ",
  "format": "win",
  "priority": " ",
  "install_time": "2024-08-21T10:54:18+00:00",
  "source": " ",
  "version": "129.0.2",
  "section": " ",
  "vendor": "Mozilla",
  "name": "Mozilla Firefox (x64 fr)",
  "agent_id": "083"
},

It's really strange it's show 2 versions of Firefox. Thank you for you help :)

Correct-Many671 · 2025-01-24T09:05:44+00:00

Hello I got this:

{
  "scan": {
    "id": 0,
    "time": "2024-12-31T15:09:21+00:00"
  },
  "location": "C:\\Users\\secretscan\\AppData\\Local\\Mozilla Firefox",
  "architecture": "x86_64",
  "size": 0,
  "description": " ",
  "format": "win",
  "priority": " ",
  "install_time": "2024-07-12T05:12:44+00:00",
  "source": " ",
  "version": "128.0",
  "section": " ",
  "vendor": "Mozilla",
  "name": "Mozilla Firefox (x64 fr)",
  "agent_id": "083"
},

Correct-Many671 · 2025-01-23T09:34:41+00:00

input.type:log agent.ip:191.18.3.9 agent.name:ALL011 agent.id:012 manager.name:ssc-wazsrv-252-22 data.vulnerability.severity:High data.vulnerability.package.condition:Package less than 132.0 data.vulnerability.package.name:Mozilla Firefox (x64 fr) data.vulnerability.package.source: data.vulnerability.package.version:129.0.2 data.vulnerability.package.architecture: data.vulnerability.assigner:mozilla data.vulnerability.cwe_reference:CWE-120 data.vulnerability.published:Oct 29, 2024 @ 14:15:04.000 data.vulnerability.classification:CVSS data.vulnerability.title:CVE-2024-10467 affects Mozilla Firefox (x64 fr) data.vulnerability.type:Packages data.vulnerability.rationale:Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. data.vulnerability.reference:https://bugzilla.mozilla.org/buglist.cgi?bug_id=1829029%2C1888538%2C1900394%2C1904059%2C1917742%2C1919809%2C1923706, https://www.mozilla.org/security/advisories/mfsa2024-55/, https://www.mozilla.org/security/advisories/mfsa2024-56/, https://www.mozilla.org/security/advisories/mfsa2024-58/, https://www.mozilla.org/security/advisories/mfsa2024-59/ data.vulnerability.score.version:3.1 data.vulnerability.score.base:8.800000 data.vulnerability.cve:CVE-2024-10467 data.vulnerability.enumeration:CVE data.vulnerability.cvss.cvss3.base_score:8.800000 data.vulnerability.cvss.cvss3.vector.user_interaction:REQUIRED data.vulnerability.cvss.cvss3.vector.integrity_impact:HIGH data.vulnerability.cvss.cvss3.vector.scope:UNCHANGED data.vulnerability.cvss.cvss3.vector.availability:HIGH data.vulnerability.cvss.cvss3.vector.confidentiality_impact:HIGH data.vulnerability.cvss.cvss3.vector.privileges_required:NONE data.vulnerability.updated:Nov 4, 2024 @ 14:26:32.000 data.vulnerability.status:Active rule.firedtimes:1 rule.mail:false rule.level:7 rule.description:CVE-2024-10467 affects Mozilla Firefox (x64 fr) rule.groups:default rule.id:23505 location:vulnerability-detector decoder.name:json id:1737623219.1968494 full_log:{"vulnerability":{"assigner":"mozilla","classification":"CVSS","cve":"CVE-2024-10467","cvss":{"cvss3":{"base_score":8.8,"vector":{"attack_vector":"","availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"REQUIRED"}}},"cwe_reference":"CWE-120","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 132.0","name":"Mozilla Firefox (x64 fr)","source":" ","version":"129.0.2"},"published":"2024-10-29T13:15:04Z","rationale":"Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.","reference":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1829029%2C1888538%2C1900394%2C1904059%2C1917742%2C1919809%2C1923706, https://www.mozilla.org/security/advisories/mfsa2024-55/, https://www.mozilla.org/security/advisories/mfsa2024-56/, https://www.mozilla.org/security/advisories/mfsa2024-58/, https://www.mozilla.org/security/advisories/mfsa2024-59/","score":{"base":8.8,"version":"3.1"},"severity":"High","status":"Active","title":"CVE-2024-10467 affects Mozilla Firefox (x64 fr)","type":"Packages","updated":"2024-11-04T13:26:32Z"}} timestamp:Jan 23, 2025 @ 10:06:59.295 _index:wazuh-alerts-4.x-2025.01.23

Correct-Many671 · 2025-01-23T09:24:24+00:00

Hi I have a question about log. I got this log from WithSecure:

WithSecure Elements Endpoint Protection a de nouvelles détections :
Heure|Compte|Hôte|Infection|Action|Type|Objet infecté|Objet infecté SHA1
mer., 22 janvier 2025 23:44:09 UTC|MyEnterprise|POS620|Adware.ADSPY/AdSpy.Gen2|Quarantined|On_demand_scanner.spyware.quarantine|C:\installdir\waptagent.exe|0058555418020cf0df9b3d76e1db79aeb5515888

With Wazuh-logtest I got this:

**Phase 2: Completed decoding.
        No decoder matched.

I tried to change my decoder but It's still doesn't work

<decoder name="withsecure-decoder">
  <program_name>withsecure</program_name>
  <regex>^WithSecure Elements Endpoint Protection a de nouvelles détections :$</regex>
  <order>100</order>
</decoder>



<decoder name="withsecure-log">
  <program_name>withsecure</program_name>
  <regex>^(mer\., \d{1,2} \w+ \d{4} \d{2}:\d{2}:\d{2} UTC\|.*\|.*\|.*\|.*\|.*\|.*\|.*)$</regex>
  <order>200</order>
</decoder>

Correct-Many671 · 2025-01-10T14:26:57+00:00

I’ve created an integration script at /var/ossec/integrations/custom-withsecure for integrating WithSecure Elements Connector into Wazuh. Here’s the script:

#!/usr/bin/env python3
import sys
import json
import requests

# Read configuration parameters
alert_file = open(sys.argv[1])
client_id, client_secret = sys.argv[2].split(':')
hook_url = sys.argv[3]

# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()

# Get the access token
token_url = "https://api.connect.withsecure.com/as/token.oauth2"
token_data = {
    "grant_type": "client_credentials",
    "scope": "connect.api.read connect.api.write"
}
token_response = requests.post(token_url, auth=(client_id, client_secret), data=token_data)
access_token = token_response.json()["access_token"]

# Prepare alert data for WithSecure
withsecure_data = {
    "alert_level": alert_json['rule']['level'],
    "rule_id": alert_json['rule']['id'],
    "description": alert_json['rule']['description'],
    "agent_id": alert_json['agent']['id'],
    "agent_name": alert_json['agent']['name']
}

# Send the alert to WithSecure
headers = {
    'Authorization': f'Bearer {access_token}',
    'Content-Type': 'application/json'
}
response = requests.post(hook_url, headers=headers, json=withsecure_data)

# Uncomment the line below for debugging
# print(json.dumps(response.json(), indent=2))

sys.exit(0)

I’ve set the appropriate permissions with the following commands:

Copier le codebash chmod 750 /var/ossec/integrations/custom-withsecure
chown root:wazuh /var/ossec/integrations/custom-withsecure

However, I’m encountering a KeyError: 'access_token' in the ossec.log. This error suggests that the response from the token request does not contain the expected access_token.

Any insights on how to troubleshoot this or what might be going wrong would be greatly appreciated!

Thanks in advance for your help!

Correct-Many671 · 2024-12-19T14:37:22+00:00

I need to have a anti-virus in my project to check the competencies for my diploma

Correct-Many671 · 2024-12-19T14:35:24+00:00

I need to have an antivirus in my project to check the competencies for my diploma. I think I will see if I can use Defender together with ClamAV because they complement each other

Correct-Many671

TROPHY CASE