Skip to content

Instantly share code, notes, and snippets.

@cywf

cywf/geo-data-wazuh.md

Created February 11, 2024 20:41
Show Gist options
  • Save cywf/8e5bd2ce59ed9bd84d530ef11b5b6b30 to your computer and use it in GitHub Desktop.
Save cywf/8e5bd2ce59ed9bd84d530ef11b5b6b30 to your computer and use it in GitHub Desktop.
Download ZIP
Importing and Visualizing Geographical Threat Data in Wazuh SIEM
Raw
geo-data-wazuh.md

Importing and Visualizing Geographical Threat Data in Wazuh SIEM

This document provides a step-by-step guide on how to import external threat data, such as vulnerable devices identified by Shodan.io, and visualize it on a geographical map within Wazuh SIEM's OpenSearch Dashboards.

Prerequisites

  • Ensure that your Wazuh installation includes OpenSearch and OpenSearch Dashboards (formerly Elasticsearch and Kibana).
  • Obtain geographical threat data in JSON format with latitude and longitude information.

Step 1: Obtain and Prepare Data

  1. Export Data from Shodan:

    • Use Shodan to identify vulnerable devices in your region of interest.
    • Export the results in JSON format.

  2. Transform Data (if necessary):

    • Convert the data into a GeoJSON format, if not already provided by Shodan.
    • Ensure that the geographical coordinates are structured as follows: 
      "location": {
  "lat": 18.2208,
  "lon": -66.5901
}
    • Save the transformed data as vulnerable_devices.json.

Step 2: Import Data into Elasticsearch

  1. Create an Index:

    • Define an index pattern in Elasticsearch that includes a geo_point field for the location. 
      PUT /vulnerable-devices
{
  "mappings": {
    "properties": {
      "location": {
        "type": "geo_point"
      }
    }
  }
}

  2. Import JSON Data:

    • Use the Elasticsearch API to import your vulnerable_devices.json file. 
      POST /vulnerable-devices/_bulk
{ "index": {}}
{ "location": { "lat": 18.2208, "lon": -66.5901 }, "device": "Device 1", "vulnerability": "CVE-XXXX-XXXX" }
{ "index": {}}
{ "location": { "lat": 18.221, "lon": -66.591 }, "device": "Device 2", "vulnerability": "CVE-YYYY-YYYY" }
// Continue with the rest of your data...

Step 3: Visualize Data in OpenSearch Dashboards

  1. Create a New Map:

    • Navigate to the 'Maps' section in the OpenSearch Dashboards.
    • Select 'Create map' to start a new visualization.

  2. Add Data Layer:

    • Choose 'Add layer' and then 'Add vector layer'.
    • Select the 'vulnerable-devices' index from the dropdown.
    • Configure the layer to display data points based on the geo_point field.

  3. Customize and Style:

    • Customize the map by adding tooltips, labels, and setting the style for different severity levels of vulnerabilities.
    • Adjust the zoom level and default center point to focus on your region, such as Puerto Rico.

  4. Save and Add to Dashboard:

    • Once you're satisfied with the map, save it and give it an appropriate title.
    • Add the map to an existing or new dashboard for monitoring.

Conclusion

You've now successfully integrated external threat data into your Wazuh SIEM and visualized it geographically. This map can help you monitor threats in relation to your deployed agents and take proactive measures.

Remember to update your data periodically to reflect the current threat landscape.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment