Introduction
The tags beginning with ids.wazuh
identify events generated by Wazuh.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as ids.wazuh
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Wazuh |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
ids.wazuh.alerts
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
| |
hostname |
|
|
| |
timestamp |
|
|
| |
rule__level |
|
|
| |
rule__description |
|
|
| |
rule__id |
|
|
| |
rule__firedtimes |
|
|
| |
rule__mail |
|
|
| |
rule__groups_str |
| join(rule__groups, ',') | rule__groups | |
rule__pci_dss_str |
| join(rule__pci_dss, ',') | rule__pci_dss | |
rule__gdpr_str |
| join(rule__gdpr, ',') | rule__gdpr | |
rule__hipaa_str |
| join(rule__hipaa, ',') | rule__hipaa | |
rule__nist_800_53_str |
| join(rule__nist_800_53, ',') | rule__nist_800_53 | |
rule__tsc_str |
| join(rule__tsc, ',') | rule__tsc | |
rule__mitre__id_str |
| join(rule__mitre__id, ',') | rule__mitre__id | |
rule__mitre__tactic_str |
| join(rule__mitre__tactic, ',') | rule__mitre__tactic | |
rule__mitre__technique_str |
| join(rule__mitre__technique, ',') | rule__mitre__technique | |
rule__gpg13_str |
| join(rule__gpg13, ',') | rule__gpg13 | |
agent__id |
|
|
| |
agent__name |
|
|
| |
agent__ip |
|
|
| |
manager__name |
|
|
| |
id |
|
|
| |
full_log |
|
|
| |
syscheck__path |
|
|
| |
syscheck__size_after |
|
|
| |
syscheck__uid_after |
|
|
| |
syscheck__gid_after |
|
|
| |
syscheck__md5_before |
|
|
| |
syscheck__md5_after |
|
|
| |
syscheck__sha1_before |
|
|
| |
syscheck__sha1_after |
|
|
| |
syscheck__changed_attributes_str |
| join(syscheck__changed_attributes, ',') | syscheck__changed_attributes | |
syscheck__event |
|
|
| |
predecoder__program_name |
|
|
| |
predecoder__timestamp |
|
|
| |
predecoder__hostname |
|
|
| |
decoder__parent |
|
|
| |
decoder__name |
|
|
| |
data__srcuser |
|
|
| |
data__dstuser |
|
|
| |
data__uid |
|
|
| |
data__id |
|
|
| |
data__status |
|
|
| |
data__extra_data |
|
|
| |
data__system_name |
|
|
| |
data__type |
|
|
| |
data__title |
|
|
| |
data__file |
|
|
| |
data__subject__security_id |
|
|
| |
data__subject__account_name |
|
|
| |
data__subject__account_domain |
|
|
| |
data__subject__login_id |
|
|
| |
data__win__system__providerName |
|
|
| |
data__win__system__providerGuid |
|
|
| |
data__win__system__eventID |
|
|
| |
data__win__system__version |
|
|
| |
data__win__system__level |
|
|
| |
data__win__system__task |
|
|
| |
data__win__system__opcode |
|
|
| |
data__win__system__keywords |
|
|
| |
data__win__system__systemTime |
|
|
| |
data__win__system__eventRecordID |
|
|
| |
data__win__system__processID |
|
|
| |
data__win__system__threadID |
|
|
| |
data__win__system__channel |
|
|
| |
data__win__system__computer |
|
|
| |
data__win__system__severityValue |
|
|
| |
data__win__system__message |
|
|
| |
data__win__eventdata__targetUserSid |
|
|
| |
data__win__eventdata__targetUserName |
|
|
| |
data__win__eventdata__targetDomainName |
|
|
| |
data__win__eventdata__targetLogonId |
|
|
| |
data__win__eventdata__logonType |
|
|
| |
data__win__eventdata__serviceName |
|
|
| |
data__win__eventdata__serviceSid |
|
|
| |
data__win__eventdata__ticketOptions |
|
|
| |
data__win__eventdata__ticketEncryptionType |
|
|
| |
data__win__eventdata__ipAddress |
|
|
| |
data__win__eventdata__ipPort |
|
|
| |
data__win__eventdata__status |
|
|
| |
data__win__eventdata__logonGuid |
|
|
| |
location |
|
|
| |
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |