Skip to main content

A package for anomaly detection using Isolation Forest for Wazuh Alerts

Project description

Mimizuku: Anomaly Detection for Wazuh Alerts

Mimizuku is a Python library designed for anomaly detection based on filesystem and command auditing events extracted from Wazuh alerts. It leverages unsupervised learning techniques to identify unusual activities in system logs, making it ideal for security-related use cases, such as detecting unauthorized file modifications or suspicious command executions.

Features

  • Wazuh Alerts Integration: Specifically designed to process Wazuh alert logs for anomaly detection.
  • Flexible Anomaly Detection: Detects anomalies using filesystem events and command executions based on custom rules.
  • Customizable Settings: Configure parameters such as the number of neighbors, contamination rate, and file/user ignore lists.
  • Filesystem Event Monitoring: Automatically identifies suspicious file changes.
  • Command Auditing: Detects anomalies in command execution patterns.
  • Model Persistence: Easily save and load trained models for future use.

Installation

pip install mimizuku

Usage

1. Initialize and Train the Model

import pandas as pd
from mimizuku import Mimizuku

# Initialize the model with custom settings
model = Mimizuku(contamination=0.001, n_neighbors=5)

# Train the model using a Wazuh alert log file or DataFrame
model.fit("./training.json")

# Save the trained model for later use
model.save_model("./models")

2. Load and Use the Model for Anomaly Detection

import pandas as pd

from mimizuku import Mimizuku
from mimizuku.rules.audit_command import AuditCommand
from mimizuku.rules.fs_notify import FsNotify

# Initialize the model
n_neighbors = 5
contamination = 0.001
ignore_user_names = ["root"]

fsn = FsNotify(
    n_neighbors=n_neighbors,
    contamination=contamination,
)
ac = AuditCommand(
    n_neighbors=n_neighbors,
    contamination=contamination,
    ignore_user_names=ignore_user_names,
)

model = Mimizuku()
model.add_rule(fsn)
model.add_rule(ac)

# Train the model with a log file or DataFrame
model.fit("./training.json")

# Save the trained model
model.save_model("./models")

# Load the model and use it for prediction
loaded_model = Mimizuku.load_model("./models")
anomalies_df = loaded_model.predict("./test.json")

# Display detected anomalies
print("Detected anomalies:")
print(anomalies_df)

Customization Options

Parameters for Model Initialization:

  • n_neighbors: Number of neighbors to use for the Local Outlier Factor algorithm.
  • contamination: Proportion of the dataset that is expected to be anomalous.

Model Persistence:

  • save_model(model_path): Saves the trained model and vectorizer to a specified path.
  • load_model(model_path): Loads a saved model and applies ignore lists during prediction.

Example Log Format

The input data for the model is expected to be in JSON format, following the Wazuh alert structure. Below is an example of a Wazuh alert log entry that Mimizuku can process:

{
  "syscheck": {
    "path": "/etc/passwd",
    "event": "modified",
    "audit": {
      "effective_user": {
        "name": "root"
      }
    }
  },
  "agent": {
    "name": "my-hostname"
  },
  "rule": {
    "id": "550",
    "level": 7
  }
}

License

Mimizuku is licensed under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mimizuku-0.2.34.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

mimizuku-0.2.34-py3-none-any.whl (8.0 kB view details)

Uploaded Python 3

File details

Details for the file mimizuku-0.2.34.tar.gz.

File metadata

  • Download URL: mimizuku-0.2.34.tar.gz
  • Upload date:
  • Size: 7.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.2

File hashes

Hashes for mimizuku-0.2.34.tar.gz
Algorithm Hash digest
SHA256 50321cbc8d42abb5fd66347f50ece3b278623fb9c202cc7c70d686df6bada711
MD5 2ee66eb09522e7baa96ea05ae38b957a
BLAKE2b-256 e34f81506bf63e56778b6ce4f4c7eb2c6ae0388d94fb5d738f6c8a2eee46980c

See more details on using hashes here.

Provenance

File details

Details for the file mimizuku-0.2.34-py3-none-any.whl.

File metadata

  • Download URL: mimizuku-0.2.34-py3-none-any.whl
  • Upload date:
  • Size: 8.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.2

File hashes

Hashes for mimizuku-0.2.34-py3-none-any.whl
Algorithm Hash digest
SHA256 b768576fe5298b06c339ab780d7fe3c905c21577fc324c017482d544345fee1d
MD5 f591a2baaa9838755beb58e6d3afd027
BLAKE2b-256 e2c35bcf47b90e87bcf7824e560624b8bbdc9f1de5964993427abe6efd2b66bb

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page