A package for anomaly detection using Isolation Forest for Wazuh Alerts
Project description
Mimizuku: Anomaly Detection for Wazuh Alerts
Mimizuku is a Python library designed for anomaly detection based on filesystem and command auditing events extracted from Wazuh alerts. It leverages unsupervised learning techniques to identify unusual activities in system logs, making it ideal for security-related use cases, such as detecting unauthorized file modifications or suspicious command executions.
Features
- Wazuh Alerts Integration: Specifically designed to process Wazuh alert logs for anomaly detection.
- Flexible Anomaly Detection: Detects anomalies using filesystem events and command executions based on custom rules.
- Customizable Settings: Configure parameters such as the number of neighbors, contamination rate, and file/user ignore lists.
- Filesystem Event Monitoring: Automatically identifies suspicious file changes.
- Command Auditing: Detects anomalies in command execution patterns.
- Model Persistence: Easily save and load trained models for future use.
Installation
pip install mimizuku
Usage
1. Initialize and Train the Model
import pandas as pd
from mimizuku import Mimizuku
# Initialize the model with custom settings
model = Mimizuku(contamination=0.001, n_neighbors=5)
# Train the model using a Wazuh alert log file or DataFrame
model.fit("./training.json")
# Save the trained model for later use
model.save_model("./models")
2. Load and Use the Model for Anomaly Detection
import pandas as pd
from mimizuku import Mimizuku
from mimizuku.rules.audit_command import AuditCommand
from mimizuku.rules.fs_notify import FsNotify
# Initialize the model
n_neighbors = 5
contamination = 0.001
ignore_user_names = ["root"]
fsn = FsNotify(
n_neighbors=n_neighbors,
contamination=contamination,
)
ac = AuditCommand(
n_neighbors=n_neighbors,
contamination=contamination,
ignore_user_names=ignore_user_names,
)
model = Mimizuku()
model.add_rule(fsn)
model.add_rule(ac)
# Train the model with a log file or DataFrame
model.fit("./training.json")
# Save the trained model
model.save_model("./models")
# Load the model and use it for prediction
loaded_model = Mimizuku.load_model("./models")
anomalies_df = loaded_model.predict("./test.json")
# Display detected anomalies
print("Detected anomalies:")
print(anomalies_df)
Customization Options
Parameters for Model Initialization:
n_neighbors
: Number of neighbors to use for the Local Outlier Factor algorithm.contamination
: Proportion of the dataset that is expected to be anomalous.
Model Persistence:
save_model(model_path)
: Saves the trained model and vectorizer to a specified path.load_model(model_path)
: Loads a saved model and applies ignore lists during prediction.
Example Log Format
The input data for the model is expected to be in JSON format, following the Wazuh alert structure. Below is an example of a Wazuh alert log entry that Mimizuku can process:
{
"syscheck": {
"path": "/etc/passwd",
"event": "modified",
"audit": {
"effective_user": {
"name": "root"
}
}
},
"agent": {
"name": "my-hostname"
},
"rule": {
"id": "550",
"level": 7
}
}
License
Mimizuku is licensed under the MIT License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for mimizuku-0.2.34-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b768576fe5298b06c339ab780d7fe3c905c21577fc324c017482d544345fee1d |
|
MD5 | f591a2baaa9838755beb58e6d3afd027 |
|
BLAKE2b-256 | e2c35bcf47b90e87bcf7824e560624b8bbdc9f1de5964993427abe6efd2b66bb |