opensecureco / demos Goto Github PK

In some cases, the host parameter needs to be defined if elasticsearch isn't running on localhost (127.0.0.1)

./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem -h <ip_address>

It worked! I get all alerts according to the rule level. But I created a custom rule from a syslog, for this custom rule, not even with level 12 it arrives in my telegram ;(

my custom rule in local_rules:

I installed all packages but copy and paste will not work. I did it manually anyways, and got cuckoo installed, but the virtual machine inside ubuntu would not installed states no active space when there is space.

seeing this

wazuh-integratord: ERROR: Unable to run integration for custom-telegram -> integrations
wazuh-integratord: ERROR: While running custom-telegram -> integrations. Output: KeyError: 'data'
wazuh-integratord: ERROR: Exit status was: 1

when it's attempting to process a

decoder.namesyscheck_integrity_changed
File '/etc/shadow' modified Mode: scheduled Changed attributes: size,mtim.......

would have thought it would process with an N/A?

other alerts are working fine

any thoughts?

I followed your Elastalert configuration tutorial video on YouTube in which you demonstrated an example rule for TheHive being hit after several failed login attempts, and after that a case (alert) for that alert was generated in TheHive. In my scenario I copied the rule that
you used in the video and edited it to my requirement but I am unable to receive any alerts on my TheHive instance, even though my rule gets hit when I test it and even shows up in the index pattern. I have Cortex and the MISP integrated in my TheHive instance too.
Here is my rule, I am detecting USB plugins on a specified PC:

es_host: 192.168.1.165
es_port: 9200
name: Wazuh
type: frequency
index: wazuh-alerts-*
num_events: 1
timeframe:
minutes: 1
filter:

• term:
  agent.name: "siemdev-PowerEdge-T440"
• query:
  query_string:
  query: "data.id:usb"
  realert:
  minutes: 3
  alert: hivealerter
  hive_connection:
  hive_host: http://192.168.1.247
  hive_port: 9000
  hive_apikey: NOhN9pkOSyFYHG8fMTLw4GRVq/070lzM

hive_alert_config:
type: 'external'
source: 'elastalert'
description: '{rule[name]}'
severity: 2
tags: ['{rule[name]}', '{match[data][id]}', '{match[agent][name]}']
tlp: 3
status: 'New'
follow: True

hive_observable_data_mapping:
- ip: "{match[agent][ip]}"

I am attaching the screenshot of the Elasticsearch index pattern showing as well the result of testing the rule as well:

Please help in rectifying this problem I've been searching online for quite a while but to no avail.

Hi guys, first thank you for doing share of your work.
I have question if you would like to answer :)
I am trying to setup clam as standalone antivirus on linux ubuntu workstations.
Problem is with daemon, cannot find solution to setup him to work proper ...
Do you have maybe instruction how to setup it for ubuntu , like you creaded for centos? :)

thank you in advance!

I would like contribe some extra informatie

Did not work
chown root:ossec /var/ossec/integrations/custom-telegram*

Works for me
chown root:wazuh /var/ossec/integrations/custom-telegram*

Thanks for the script it works like a charm :)

can you share the ova file with cuckoo sandbox installed. i tried installing but its not working?