Implement cross account support to Security Lake integration #657

QU3B1M · 2025-01-28T19:58:27Z

Description

Update lambda_function script to assume the required role using an external account ID.

Add Unit Tests using the python library moto to mock AWS services and validate the lambda_function behaviour.

Test execution

% pytest -v
================================================================= test session starts ==================================================================
platform darwin -- Python 3.13.0, pytest-8.3.4, pluggy-1.5.0 -- /Users/quebim_wz/IdeaProjects/wazuh-indexer/integrations/amazon-security-lake/venv/bin/python3.13
cachedir: .pytest_cache
rootdir: /Users/quebim_wz/IdeaProjects/wazuh-indexer/integrations/amazon-security-lake/tests
configfile: pytest.ini
collected 7 items                                                                                                                                      

test_lambda_function.py::test_lambda_handler PASSED                                                                                              [ 14%]
test_lambda_function.py::test_assume_role PASSED                                                                                                 [ 28%]
test_lambda_function.py::test_get_s3_client PASSED                                                                                               [ 42%]
test_lambda_function.py::test_get_events PASSED                                                                                                  [ 57%]
test_lambda_function.py::test_write_parquet_file PASSED                                                                                          [ 71%]
test_lambda_function.py::test_upload_to_s3 PASSED                                                                                                [ 85%]
test_lambda_function.py::test_get_full_key PASSED                                                                                                [100%]

================================================================== 7 passed in 0.59s ===================================================================

Related Issues

Resolves #276

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…ntegration

…ke-related files Update integration README

Make role assumption optional

AlexRuiz7

Environment is failing. See #664

…to-lambda-integration

QU3B1M · 2025-02-07T18:09:43Z

S3 Ninja mock with data batch

Process the data batch

% bash amazon-security-lake/invoke-lambda.sh 20250207/ls.s3.3910e5c0-cf61-44ee-8143-8c865607c26e.2025-02-07T17.55.part0.txt.gz
"{\"size\": 113, \"upload_success\": true, \"ocsf_upload_success\": true}"

Processed data is uploaded to the parquet

Download and show the parquet data

% parquet-tools show ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20250207_3910e5c0cf6144ee81438c865607c26e.parquet

Complete output

+---------------+-----------------+----------------+------------------+-------------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+
|   activity_id | category_name   |   category_uid | class_name       |   class_uid |   count | message                                                                                                                            | metadata                                                                                                                                                | raw_data                                                                                                                                       | resources                                                            |   risk_score |   severity_id |   status_id |       time |   type_uid | unmapped                                                                                                            | analytic                                                                                                 | attacks                                                                                                     | finding                                                                                                                                                                                                           |   state_id |
|---------------+-----------------+----------------+------------------+-------------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------|
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950646 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950671 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 1                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |           10 |             3 |          99 | 1738950666 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '2087'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 1', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 3                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            8 |             3 |          99 | 1738950630 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4635'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 3', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950640 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738950681 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738950686 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738950651 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950661 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950758 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       7 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Monkit' detected by the presence of file '/lib/defs'.                                                                                 | [{'name': 'Centos', 'uid': '005'}]                                   |            7 |             2 |          99 | 1738950691 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       3 | Audit: Command: /usr/sbin/ssh                                                                                                      | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950783 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                      |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950732 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950717 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950753 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738950768 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |     197 | CVE-2018-15919 affects openssh-client                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            7 |             2 |          99 | 1738950737 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23504'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2018-15919 affects openssh-client', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738950747 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      10 | AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060. | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            6 |             2 |          99 | 1738950702 |     200101 | {'data_sources': array(['Wazuh-AWS', 'manager'], dtype=object), 'nist': array([], dtype=object)}                    | {'category': 'amazon, aws, aws_guardduty', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '80302'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738950712 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       9 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Monkit' detected by the presence of file '/lib/defs'.                                                                                 | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738950819 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738950727 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950697 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 5                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |           12 |             4 |          99 | 1738950844 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '2553'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 5', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950793 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 3                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            6 |             2 |          99 | 1738950803 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '3079'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 3', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       5 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic).                    | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738950813 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950829 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950798 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      10 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'.                                                                             | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             2 |          99 | 1738950808 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950879 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738950722 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 1                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |           10 |             3 |          99 | 1738950773 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '2087'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 1', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950788 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 4                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738950854 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4685'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738950864 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       3 | Audit: Command: /usr/sbin/ssh                                                                                                      | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738950874 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                      |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950890 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 5                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          99 | 1738950859 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '1839'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 5', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |     198 | CVE-2018-15919 affects openssh-server                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738950849 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23504'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2018-15919 affects openssh-server', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      18 | CVE-2019-19645 affects libsqlite3-0                                                                                                | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            5 |             2 |          99 | 1738950778 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23503'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2019-19645 affects libsqlite3-0', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      18 | CVE-2019-19645 affects libsqlite3-0                                                                                                | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            5 |             2 |          99 | 1738950834 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23503'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2019-19645 affects libsqlite3-0', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950869 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       3 | Audit: Command: /usr/sbin/ssh                                                                                                      | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950763 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                      |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       8 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'.                                                                               | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          99 | 1738950824 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       9 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic).                            | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738950895 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/grep                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950839 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950900 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       7 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic).                 | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738951006 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      10 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic). | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738950915 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       5 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic).                                                   | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738950955 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950961 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950996 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       7 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'.                                                                                   | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738950981 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738950950 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738950920 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       2 | CVE-2019-17540 affects imagemagick                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            7 |             2 |          99 | 1738950910 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23504'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2019-17540 affects imagemagick', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      84 | CVE-2016-7948 affects libxrandr2                                                                                                   | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |           13 |             4 |          99 | 1738950991 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23506'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2016-7948 affects libxrandr2', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                   |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 3                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |           13 |             4 |          99 | 1738950986 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '3284'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 3', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738951016 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       3 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic).                                                   | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738951021 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738951047 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738951067 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      12 | Audit: Command: /usr/sbin/sudo                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950945 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738950971 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       9 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'.                                                                           | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          99 | 1738951052 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 5                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            5 |             2 |          99 | 1738951057 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4721'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 5', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |     369 | CVE-2019-1010204 affects binutils                                                                                                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738951077 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23504'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2019-1010204 affects binutils', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                  |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738950925 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738951082 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |     193 | CVE-2020-1927 affects apache2-utils                                                                                                | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          99 | 1738950966 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23504'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2020-1927 affects apache2-utils', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738951011 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 1                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |           14 |             4 |          99 | 1738951108 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '986'}                        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 1', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      10 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'.                                                                              | [{'name': 'Centos', 'uid': '005'}]                                   |            7 |             2 |          99 | 1738951128 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/grep                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738951001 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | Audit: Command: /usr/sbin/sh                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738951032 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738951103 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738951113 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/hostname                                                                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738951118 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                 |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738951138 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738950930 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738951143 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       2 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic).              | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738951026 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 1738951072 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       5 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic).              | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          99 | 1738951169 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      11 | Audit: Command: /usr/sbin/id                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738951189 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 5                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |           12 |             4 |          99 | 1738951062 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '2553'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 5', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/grep                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738951093 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738951164 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738951174 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      17 | CVE-2020-1752 affects multiarch-support                                                                                            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            5 |             2 |          99 | 1738951179 |     200101 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} | {'category': 'vulnerability-detector', 'name': 'json', 'type': 'Rule', 'type_id': 1, 'uid': '23503'}     | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'CVE-2020-1752 affects multiarch-support', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                            |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       9 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic).                            | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 1738951199 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738950935 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic).                                                   | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             2 |          99 | 1738951087 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 2                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738951133 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '925'}                        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 2', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 2                                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          99 | 1738951123 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '5080'}                       | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Sample alert 2', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/grep                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738951153 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      13 | Audit: Command: /usr/sbin/grep                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 1738950940 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype                                                                                              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 1738951148 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                              |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738951194 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       3 | Audit: Command: /usr/sbin/ssh                                                                                                      | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 1738951184 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                      |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 1738950976 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                                                                                                     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 1738951037 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                     |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Host-based anomaly detection event (rootcheck).                                                                                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'.                                                                          | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 1738951098 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'}                                                                                    |          1 |
|             1 | Findings        |              2 | Security Finding |        2001 |       6 | Audit: Command: /usr/sbin/ls                                                                                                       | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 1738951158 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}        | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | {'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                                                                       |          1 |
+---------------+-----------------+----------------+------------------+-------------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+

Implement cross account support to lambda function on Security Lake i…

e4f50b8

…ntegration

QU3B1M self-assigned this Jan 28, 2025

QU3B1M added 5 commits January 29, 2025 07:32

Include role_arn and external_id environment variables in security-la…

bcfcc7a

…ke-related files Update integration README

Apply black formatter

91d6d54

Make role assumption optional

Improve logging and error handling

2fec557

Add lambda_function Unit Tests

bc6026e

Add example to get_full_key docstrings

0c79498

QU3B1M marked this pull request as ready for review January 30, 2025 12:39

QU3B1M requested a review from a team as a code owner January 30, 2025 12:39

AlexRuiz7 requested changes Feb 3, 2025

View reviewed changes

QU3B1M added 2 commits February 6, 2025 09:16

Merge branch 'master' into enhancement/276-add-cross-account-support-…

36e61db

…to-lambda-integration

Ad dev environment client generation

296e908

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement cross account support to Security Lake integration #657

Implement cross account support to Security Lake integration #657

QU3B1M commented Jan 28, 2025 •

edited

Loading

AlexRuiz7 left a comment •

edited

Loading

QU3B1M commented Feb 7, 2025

Implement cross account support to Security Lake integration #657

Are you sure you want to change the base?

Implement cross account support to Security Lake integration #657

Conversation

QU3B1M commented Jan 28, 2025 • edited Loading

Description

Related Issues

Check List

AlexRuiz7 left a comment • edited Loading

Choose a reason for hiding this comment

QU3B1M commented Feb 7, 2025

QU3B1M commented Jan 28, 2025 •

edited

Loading

AlexRuiz7 left a comment •

edited

Loading