Quickly search your logs with Wazuh-Indexer module to spot IoCs.
Use the Wazuh-Indexer module to quickly search your logs with Wazuh-Indexer module to spot IoCs. This module is designed to help SOC analysts quickly spot any other endpoints that have the same IoCs associated with their ingested events.
The module is built for the below IoC types:
- Ip Address
- Domain
- Sha256 Hash
- Filename
The module can be configured to search any Index and looks for IoCs in the following fields:
dns_querydst_ipsha256data_win_eventdata_targetFilename
You can configure the module to search any index and any fields you like.
Currently, the Wazuh-Indexer module can be ran as DFIR-IRIS Module.
Get started with DFIR-IRIS: Video Tutorial
- Fetch the
Wazuh-Indexer ModuleRepogit clone https://github.com/socfortress/iris-wazuhindexer-module cd iris-wazuhindexer-module - Install the module
./buildnpush2iris.sh -a
Once installed, configure the module to include:
- Wazuh-Indexer Endpoint
- Wazuh-Indexer Username (Read permissions for your desired index required)
- Wazuh-Indexer Password
- Index naming pattern (e.g.
wazuh-alerts*) - Fields to search (e.g.
dns_query, dst_ip, sha256, data_win_eventdata_targetFilename)
- Navigate to
Advanced -> Modules
- Add a new module
- Input the Module name:
iris_wazuhindexer_module
- Configure the module
To run the module select Case -> IOC and select the dropdown menu.
Beta currently supports IoC of type:
ip, domain, sha256, filename
Auto refresh is coming soon
If you are experiencing issues, please contact us at
[email protected]