Forgot to mention all rules and decoders are fully compatible with any OSSEC version higher or equal to 2.8, so you can use those wether or not you decide to use the other modules (for integration with ELK or the RESTful API). There is actually a script/tool that can be used to keep the rules updated.
Best On Tue, Jan 5, 2016 at 11:14 AM, Santiago Bassett < [email protected]> wrote: > Hi, > > the dashboards we have created can be found here: > > https://github.com/wazuh/ossec-wazuh/tree/master/extensions/kibana > > Regarding the rules, here is the repo: > > https://github.com/wazuh/ossec-rules > > When the rule is related to a PCI control, that information is included in > the groups section, for example: > > <rule id="18106" level="5"> > > <if_sid>18105</if_sid> > > <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$ > </id> > > <description>Windows Logon Failure.</description> > > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, > </group> > > </rule> > > > This, combined with the modified json output, allow us to create the > dashboards for PCI in Kibana. > > On the other hand we are about to publish rules/decoders for Amazon AWS > (in case you happen to use it), you can already see the work we are doing > in the development branch. > > Best > > On Tue, Jan 5, 2016 at 7:13 AM, <[email protected]> wrote: > >> I took a look and it looks great, but I was wondering if you had any >> customized dashboards or favorite OSSEC rules to share? >> >> Thanks for all the great work. >> >> >> >> On Tuesday, December 22, 2015 at 10:44:07 PM UTC-5, Santiago Bassett >> wrote: >>> >>> Hi, >>> >>> in case you are interested, we have done some work integrating OSSEC >>> with ELK (specially for those using them to be compliant with PCI DSS, not >>> sure if this is the case), including the creation of Kibana dashboards. >>> >>> We have also created a RESTful API for OSSEC that we plan to use with >>> new Kibana plugins functionality (added in version 4.2), to be able to >>> monitor/control your OSSEC deployments from Kibana (e.g agent status, >>> syscheck or rootcheck settings, agent keys, loaded rules...) >>> >>> See more info in our website at: >>> http://documentation.wazuh.com/en/latest/ossec_elk.html >>> >>> Best regards, >>> >>> Santiago. >>> >>> On Thu, Dec 17, 2015 at 8:24 AM, <[email protected]> wrote: >>> >>>> I've been tasked with tuning OSSEC. >>>> >>>> I've wondering if there is a general guideline or process. We have >>>> OSSEC feeding into ELK stack. What are folks thoughts on tuning vs. coming >>>> up with better Kibana hunting searches? >>>> >>>> Thanks! >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
