Welcome to my website! I am Wali, a security engineer passionate about Open source security and DevOps— especially SIEM, XDR and cloud tools:D.
Issue Description Azure sign-in logs (auditLogs/signIns) are processed by Wazuh manager and visible in alerts, but they don’t appear in the Wazuh Dashboard. This happens due to a field mapping conflict. The Error { "type": "mapper_parsing_exception", "reason": "failed to parse field [data.ms-graph.status] of type [keyword]" } Root Cause The status field in Azure logs contains a JSON object, but the Wazuh template expects it to be a keyword string. Solution Temporary Fix Edit the Wazuh template: sudo nano /etc/filebeat/wazuh-template.json Find the ms-graph section and update the status field: "ms-graph": { "properties": { "relationship": { "type": "keyword" }, "status": { "type": "object", "dynamic": true } } } Apply the template: filebeat setup --index-management -E setup.template.json.enabled=false Restart Filebeat: sudo systemctl restart filebeat Permanent Fix A permanent fix will be available in Wazuh 4.14 based on this PR: https://github.com/wazuh/wazuh/pull/30831 ...
In post-incident malware investigations, fast and reliable tools are critical for uncovering persistence mechanisms. One such tool I recently discovered is KnockKnock—a free, open-source utility by Objective-See that reveals persistently installed software components on macOS Why It Matters Once malware infects a system, it typically establishes persistence through: Launch Agents/Daemons Browser Extensions Cron Jobs Login Items Kernel Extensions KnockKnock automates detection of these persistence mechanisms, providing visibility into what’s set to automatically execute on your Mac. ...
Updating Wazuh Manager Permissions After Failed Upgrade If your Wazuh manager upgrade fails due to permission issues, you may need to check the files permissions/ownership if they are still using the old ossec user/group. Permission Update Commands Run these commands to correct ownership: # Change ossec user/group to wazuh find /var/ossec -group ossec -user ossec -exec chown wazuh:wazuh {} \; # Change root-owned files to wazuh group find /var/ossec -group ossec -user root -exec chown root:wazuh {} \; Notes: These commands recursively update ownership in the Wazuh directory ...
Running PowerShell Commands on a Wodle in Wazuh By executing PowerShell commands through a Wazuh Wodle and formatting the results in JSON, you can streamline log processing without the need for custom decoders. This method simplifies integration—only the corresponding rules need to be defined to handle the structured output effectively. PowerShell Command Format The recommended format for PowerShell commands in a Wodle is: Powershell -c "@{ <header> = <command> } | ConvertTo-Json -compress" <command> is the PowerShell cmdlet or one-liner script that outputs an object ...
Docker commands I use regularly: 1. Complete Environment Cleanup docker-compose down --remove-orphans -v --rmi all --remove-orphans: Deletes containers for services not in compose file -v: Removes attached volumes --rmi all: Deletes all images used by services 2. Run Image with Interactive Shell docker run -it --entrypoint bash wazuh/wazuh-certs-generator:0.0.1 docker run -it --entrypoint bash ubuntu:focal -it: Interactive terminal --entrypoint bash: Overrides default to give shell access 3. Find Container IP Address docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps | grep -i dashboard | awk '{print $1}') docker ps | grep -i dashboard: Finds container with “dashboard” in name ...
I have been tinkering lately to build a home lab (K8s, Wazuh …) and wanted to turn my old laptop (Running Linux Mint 21) into a server. While going through that process I had issues with configuring RDP (The session immediately closed after connecting) also I needed to be able to close the laptop’s lid while keeping it running. For the first issue, I was able to solve it by running the following and then reboot: ...
For no specific reason I can tell my bluetooth keyboard SUBBLIM dropped the connection on my linux mint 21 machine. Bluetooth logs shows: bluetoothd[1109]: profiles/input/hog-lib.c:report_reference_cb() Read Report Reference descriptor failed: Request attribute has encountered an unlikely error bluetoothd[1109]: profiles/input/hog-lib.c:info_read_cb() HID Information read failed: Request attribute has encountered an unlikely error I procedded to solve it as follows: Install sudo apt-get install blueman load module modprobe btusb Removed the bluetooth device from the UI or you can use the command bluetoothctl remove 54:46:6E:2F:15:5B ...
I have had situations where I needed to check the connectivity using telnet but the server did not have it installed nor the possiblity to do so. I’ve found that it can be achieved using only curl: curl -vv telnet://serverIP:port This will use the telnet portocol instead of the known http(s). curl support about 28 protocols that you can find here: https://everything.curl.dev/protocols/curl.html