wazuh vs VMware Carbon Black Response

[Udi Moshe]

Hi all,

i am trying to figure out if i can get the same inf i get from cbr agents in wazuh.

most important for me is to be able to collect info on each process running and the command line that it executes.

for ex. a process was running powershell and i want to see the powershell command, switches and all.

i have attached a screenshot of the data collected by the cbr agent.

Thanks,

Udi

[Pacome Kemkeu]

Hello Udi,

The information you are looking for can be found in the log data collection for windows documentation.
By default, the Wazuh agent monitors the System, Application, and Security Windows event channels but you can also configure it to monitor other Windows event channels of interest such as Sysmon, Powershell etc...

In this table, you have all Windows events channels supported by the Wazuh agent and their description. And here, the instructions on how to configure event channels of your interest.
You can also take a deep look at the out-of-box rulesets designed for these Windows event channels. These rules are categorized based on the event channels to which they belong.

I hope this answers your question.

[Udi Moshe]

Hello Pacome,

thank you very much for this elaborated answer. if i am correct, what you are saying is that wazuh agent is collecting information from the windows event system and rather from some other internal mechanism, am i right ?

Regards,

Udi

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/33BtWJxFQkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7db888af-76cf-4d27-b261-10f0e58feb03n%40googlegroups.com.