Missing source ip in ElastAlert with Sigma Rules and Data from Wazuh Client

[evildrummer]

Hi,

i imported a Sigma Rule in the playbook and turned it into an active play. Rules below

`title: Whoami Execution
id: e28a5a99-da44-436d-b7a0-2afc20a5f413
status: experimental
description: Detects the execution of whoami, which is often used by attackers after
exloitation / privilege escalation but rarely used by administrators
references:

• https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
• https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
  author: Florian Roth
  date: 2018/08/13
  tags:
• attack.discovery
• attack.t1033
• car.2016-03-001
  logsource:
  category: process_creation
  product: windows
  detection:
  selection:
  Image: '*\whoami.exe'
  selection2:
  OriginalFileName: whoami.exe
  condition: selection or selection2
  falsepositives:
• Admin activity
• Scripts and administrative tools used in the monitored environment
  level: high`

In the ElastAlert Dashboard i see the events triggered on a host where the wazuh client is running but how can i get the ip of the machine where this was triggered? The problem is when i rollout the wazuh client on multiple machines i´m unable to find the host where the binary was executed.

[weslambert]

You should be able to use agent.ip from the Wazuh log itself.

[evildrummer]

Thanks for the response. And how can i integrate it in the dashboard?

[weslambert]

You can copy the dashboard/visualizations, and modify/add a new one containing the information you want. The default ones are just there as an example. If you try to modify them, your modifications will get overwritten.