Glossary

Alert

An alert is an event produced by Wazuh when its analyser finds something of interest. Alerts do not necessarily indicate that something is wrong; the alert’s rule level indicate the severity of the alert.

Alert rule level

The Wazuh alert rule level determines the severity of the alert.

Alert rule ID

This identifies alerts from one another. For instance, rule ID 5710 detects an SSH login attempt using a non-existing user. In order to navigate the rules in use on your Wazuh instance, go the management section:

_images/wazuh_rules_nav.png

Rules under the Wazuh app navigator

_images/wazuh_rule_overview.png

Overview of rule 5710

API

Application programming interface

AWS

Amazon Web Services

CTI

Cyber threat intelligence

CVSS3

Common vulnerability scoring system (version 3), an industry standard for assessing the severity of computer system security vulnerabilities. See the specification document for details.

docker

Docker is a tool that simplifies the process of creating, deploying, and managing applications by packaging them with their dependencies into standardized units called containers.

DSL

Domain-specific language, or more specifically OpenSearch’s query DSL in the context of this connector.

Enrichment

In the contect of this connector, enrichment can mean both of the following:

  1. The OpenCTI concept of running an enrichment connector to enrich an entity, typically an SCO, with more information. This connector does not really do that, but chooses the enrichment connector type, because it fits the most. The enrichment performed by running this connector, is searching for the entity in Wazuh and create sightings and incidents. Incidents, however, are packed with objects extracted as context from alerts. This is what this connector refers to as enrichment in its architecture:

  2. When an incident (and an incident response case) is created by this connector, as many entities as possible are created from the available information in the alerts returned by the search. This is the enrichment stage in the connector.

FIM

Wazuh’s File integrity monitoring (FIM) module, also referred to as syscheck, creates events when files are created, modified and deleted.

GCP

Google Cloud Platform

GDPR

General Data Protection Regulation, an European Union regulation on information privacy in the EU and EEA (European Economic Area)

hive

A hive i a logical group of keys, subkeys and values in the Windows registry.

IoC

Indicator of compromise

Marking definition

Marking definition is a STIX meta object used to segregate data in OpenCTI. The most common use case is to categorise and protect data based on its sensitivity and classification level. See the OpenCTI documentation on data segregation for more information.

In this connector, the following settings relate to marking definitions/TLP:

max_tlp

The highest TLP this connector is allowed to look up. For instance, if max_tlp is set to TLP:AMBER, entities marked with TLP:RED will be ignored.

tlps

This list of marking definitions will be set on every single entity produced by the connector (mainly through enrichment).

OpenSearch

OpenSearch is the default alert database, search engine and collection of dashboards used by Wazuh, unless Elastic/Kibana is used.

SCO

STIX cyber observable. See observable for details.

SDO

STIX domain object

SID

Security Identifier, a unique identifier assigned to each security principal, such as a user, group or computer, in a Windows environment.

SIEM

Security information and event management

SOC

Security operations centre

SRO

STIX relationship object

STIX

Structured Threat Information Expression, a language and serialisation format used to exchange cyber threat intelligence. STIX is used extensively in OpenCTI and is the main format used to import and export data.

See Introduction to STIX and the STIX reference for details.

TLP

Traffic light protocol, the default marking definition used in OpenCTI. See the OpenCTI documentation on TLP in data seggregation for more information.

See marking definition for more information on how TLP is used in the connector.

TTP

Tactis, techniques and procedures, usually referring to MITRE ATT&CK

UUID

Universally Unique Identifier. Easily generated by running uuidgen on Linux (requires the package uuid-runtime).

Wazuh

An open-source SIEM