US-041US-042US-043US-044US-045US-109
L7 — SOC / SIEM (Wazuh)
Real-time threat monitoring · 12 agents enrolled · 3 active alerts today
1
Critical Alerts
2
High Alerts
12
Active Agents
48
Alerts Today
Live Alert Feed US-042, US-043
CRITICAL
07:14:32 · PROD-WEB-01
Possible rootkit — /proc filesystem manipulation
Rule 510 — Wazuh SysCheck · MITRE: T1014 Rootkit
🤖 Claude AI Triage: A process is manipulating /proc entries, a common technique used by rootkits to hide running processes. This is a critical indicator of compromise. Immediate isolation of PROD-WEB-01 is recommended. Do not shut down — take a memory snapshot first.
Confidence: 91% · Generated 07:14:34
HIGH
07:02:11 · PROD-WEB-01
SSH brute force — 47 failed attempts in 60 seconds
Rule 5712 — MITRE: T1110 Brute Force
🤖 Source IP 185.220.101.42 blocked via iptables (SOAR auto-response)
SOAR Auto-Blocked
MED
FIM — /etc/passwd modified
06:58:01 · DEV-LAPTOP-04 · Rule 550
Agent Health US-041, US-045
| Agent | OS | Last Heartbeat | CPU | Mem | Status |
|---|---|---|---|---|---|
| PROD-WEB-01 | Ubuntu 22.04 | 07:14:50 (2s ago) | 38% | 62% | Active |
| PROD-DB-01 | Ubuntu 22.04 | 07:14:48 (4s ago) | 12% | 44% | Active |
| DEV-LAPTOP-04 | macOS 14.2 | 07:13:11 (99s ago) | 4% | 71% | Active |
| WIN-OFFICE-07 | Windows 11 | 06:58:01 (17m ago) | — | — | Stale |
⚠ WIN-OFFICE-07 has not sent heartbeat in 17 minutes. Investigate.
FIM Alerts US-044
07:02:44
/etc/sudoers — modified by root (unexpected)
SHA256: a3f9b2… → 1c4d8f…
SHA256: a3f9b2… → 1c4d8f…
06:58:01
/etc/passwd — new entry added
DEV-LAPTOP-04 · user: deploy
DEV-LAPTOP-04 · user: deploy
False Positive Management US-109
| Rule ID | Description | Agent | Suppressed Until | Marked By | Actions |
|---|---|---|---|---|---|
| 31103 | SSH login from new IP (known CI runner) | All agents | 15 Jul 2026 | J.Doe | |
| 550 | FIM — /tmp files modified (deployment script) | PROD-WEB-01 | 30 Jun 2026 | IT Manager |