Is your feature request related to a problem?
The wazuh-indexer-security-analytics plugin is currently limited to Sigma Rules and a very limited correlation mechanism coming from opensearch-security-analytics.
What solution would you like?
It would be a great addition if wazuh-indexer-security-analytics could implement Sigma Correlation Support.
What alternatives have you considered?
Currently the only way to support correlations rules would be to create a bucket level monitor and implement the requests manually. Or to use the undocumented opensearch security analytics aggregation system which is limited to only one field aggregation and limited to one source.
Do you have any additional context?
I started a POC here: https://github.com/CL0Pinette/wazuh-indexer-security-analytics to implement Sigma Correlation rules. I only started to work on this a few days ago so it is still in a very early stage. I am new to the opensearch codebase and not a good Java developper so there might be a lot of bad practice in the code.
The POC currently supports the parsing of aliases, group-by, rules and condition keys in a Sigma Correlation Rule.
It also supports the generation of the different aggregations derived from the group-by key, the derived fields generated from the aliases key, and the filter generated from the rules key. It should also support the generation of the monitor condition depending on the condition key but not fully functionnal.
As I said it is a very early version of a POC so all the cases are not handled, and the exceptions might not be thrown in some invalid cases, etc.
I think that implementing the Sigma Correlation rules is not that complicated and would be a great addition to wazuh (to be able to identify a lot of failed login attempts followed by a successful login attemps). It could also be used to replace the timeframe and frequency options available in Wazuh 4.X which are removed in 5.X
Thank you for your work on this great project !
Is your feature request related to a problem?
The
wazuh-indexer-security-analyticsplugin is currently limited to Sigma Rules and a very limited correlation mechanism coming fromopensearch-security-analytics.What solution would you like?
It would be a great addition if
wazuh-indexer-security-analyticscould implement Sigma Correlation Support.What alternatives have you considered?
Currently the only way to support correlations rules would be to create a bucket level monitor and implement the requests manually. Or to use the undocumented opensearch security analytics aggregation system which is limited to only one field aggregation and limited to one source.
Do you have any additional context?
I started a POC here: https://github.com/CL0Pinette/wazuh-indexer-security-analytics to implement Sigma Correlation rules. I only started to work on this a few days ago so it is still in a very early stage. I am new to the opensearch codebase and not a good Java developper so there might be a lot of bad practice in the code.
The POC currently supports the parsing of
aliases,group-by,rulesandconditionkeys in a Sigma Correlation Rule.It also supports the generation of the different
aggregationsderived from thegroup-bykey, thederived fieldsgenerated from thealiaseskey, and thefiltergenerated from theruleskey. It should also support the generation of the monitor condition depending on the condition key but not fully functionnal.As I said it is a very early version of a POC so all the cases are not handled, and the exceptions might not be thrown in some invalid cases, etc.
I think that implementing the Sigma Correlation rules is not that complicated and would be a great addition to wazuh (to be able to identify a lot of failed login attempts followed by a successful login attemps). It could also be used to replace the timeframe and frequency options available in Wazuh 4.X which are removed in 5.X
Thank you for your work on this great project !