diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json index 92726e79ba855..62a02853ca67a 100644 --- a/integrations/tools/events-generator/wazuh-alerts/alerts.json +++ b/integrations/tools/events-generator/wazuh-alerts/alerts.json @@ -998,3 +998,37 @@ {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container nginx_container restarted", "groups": ["docker"], "id": "87909", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "restart", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "5f91cd9a9f4c5b370b7314c29cc8a2a28c72a61f9659953fa75df643502b3693"}, "scope": "local", "timeNano": "1586460544801840896.000000", "from": "nginx", "time": "1586460544", "status": "restart"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container received the action: die", "groups": ["docker"], "id": "87928", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "die", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "exitCode": "0", "maintainer": "NGINX Docker Maintainers "}, "ID": "6d145b0c801fce46301fa96354d0ea29e4b1ea82fe7021799a01e2abe04a18c8"}, "scope": "local", "timeNano": "1587084648640092672.000000", "from": "nginx", "time": "1587084648", "status": "die"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container started", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "start", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "ebe3de16ea5b18aecc216f1cabbab887fd7aa7408dbd761719cd69b3089120fa"}, "scope": "local", "timeNano": "1587084600046795264.000000", "from": "nginx", "time": "1587084600", "status": "start"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Network bridge connected", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "connect", "Type": "network", "Actor": {"Attributes": {"container": "fcaa90b845d05ec7ae7a5097a8596b35edf6d368a00f93fe9872a6d5b1449bb9", "name": "bridge", "type": "bridge"}, "ID": "d69c82315c95fee242619571726ead25f9447065db44e814bd3e07ea00daebb2"}, "scope": "local", "timeNano": "1587084599776133888.000000", "time": "1587084599"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 4, "description": "Docker: Network bridge disconnected", "groups": ["docker"], "id": "87929", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "disconnect", "Type": "network", "Actor": {"Attributes": {"container": "555b9855a3d5f97bc5156e3d61bcd67ef236f2875cdfaf4e49659c085c69f942", "name": "bridge", "type": "bridge"}, "ID": "26fc9c96a6d0077c55b4ab068408df1be2c77789254262ae65d4f469b7f520fb"}, "scope": "local", "timeNano": "1586460544485358336.000000", "time": "1586460544"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 7, "description": "Docker: Container nginx_container received the action: kill", "groups": ["docker"], "id": "87924", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "kill", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "signal": "15", "maintainer": "NGINX Docker Maintainers "}, "ID": "a5f7bce90032373cf7f6a489ba8ba19744dafef91a5f9eac072e3f7265475ac2"}, "scope": "local", "timeNano": "1586460544324527616.000000", "from": "nginx", "time": "1586460544", "status": "kill"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 3, "description": "Docker: Container nginx_container stopped", "groups": ["docker"], "id": "87904", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "stop", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "1645a13ddb2f0ff8f5615b4535e57d4f08b6e444effc71b21962473edbffa758"}, "scope": "local", "timeNano": "1586461541373152000.000000", "from": "nginx", "time": "1586461541", "status": "stop"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 5, "pci_dss": ["10.2.7"], "description": "Docker: Started shell session in container nginx_container", "groups": ["docker"], "id": "87908", "nist_800_53": ["AU.14"], "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "exec_start: bash ", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers ", "execID": "69819869eefb3795e2015b603a2f85d6f5f556e5776428b5360fc9dfe5bfce47"}, "ID": "ff2d3b3018f1a5d97655666b7754c222a76034d536ef1de451a02fb524579c77"}, "timeNano": "1587404196804128000.000000", "from": "nginx", "time": "1587404196", "status": "exec_start: bash "}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh pulled", "id": "87932", "firedtimes": 1, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh:3.9.2_7.1.1", "Attributes": {"name": "wazuh/wazuh"}}, "scope": "local", "time": "1563354346", "timeNano": "1563354346181027328.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", "id": "87932", "firedtimes": 2, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-elasticsearch", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "elasticsearch", "schema-version": "1.0", "url": "https://www.elastic.co/products/elasticsearch", "vcs-url": "https://github.com/elastic/elasticsearch", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-kibana pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-kibana", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "kibana", "schema-version": "1.0", "url": "https://www.elastic.co/products/kibana", "vcs-url": "https://github.com/elastic/kibana", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-nginx pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Attributes": {"maintainer": "NGINX Docker Maintainers ", "name": "wazuh/wazuh-nginx"}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Network vagrant_default created", "id": "87930", "firedtimes": 1, "mail": false, "pci_dss": ["10.2.7"], "groups": ["docker"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Type": "network", "Action": "create", "Actor": {"ID": "80f3e2aad6cb19bcc14751551f4ea20037e41c07491a6cf4ccf093b978a8955c", "Attributes": {"name": "vagrant_default", "type": "bridge"}}, "scope": "local", "time": "1563354307", "timeNano": "1563354307459382528.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Australia", "location": {"lat": -33.8678513, "lon": 151.2073212}, "region_name": "Sydney", "city_name": "Sydney"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "France", "location": {"lat": 48.8534088, "lon": 2.3487999}, "region_name": "Paris", "city_name": "Paris"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 12}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": true, "level": 12, "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "groups": ["amazon", "aws", "aws_macie"], "id": "80355", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "CRITICAL", "actor": "resources.wazuh.sample.com", "summary": {"Timestamps": "2024-06-27T08:55:29.145Z", "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket": "resources.wazuh.sample.com,", "Record Count": "1", "Event Count": "1", "recipientAccountId": "166157441400", "ACL": {"resources": {"wazuh": {"com": {"Owner": {"DisplayName": "wazuh", "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}}, "risk-score": "9", "notification-type": "ALERT_CREATED", "name": "S3 Bucket IAM policy grants global read rights", "created-at": "2024-06-27T08:55:29.145Z", "source": "macie", "url": "https://mt.eu-west-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aeu-west-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", "tags": {"value": "Open Permissions,Basic Alert,"}, "alert-arn": "arn:aws:macie:eu-west-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed", "region": "ap-southeast-1", "log_info": {"s3bucket": "aws-sample-bucket-9", "log_file": "macie/2024/06/30/08/firehose_macie-1-2024-06-30-08-55-29-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2024-06-30-08-55-29-145b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}}