Security Onion & Wazuh for FIM

[Paul Siess]

I have Wazuh Windows agent 3.82 running on 3 file servers and have configured the agents to send events to my SO Master. The master is also running 3.82.

Here's what I'm seeing:
- there are events that get an alert level assigned and appear in alert.log. - there are other events that have no alert level and appear ONLY on ossec-archive.log.

Here is an example of an entry that is in ossec-archive, but not ossec-alert:

2019 Feb 27 13:03:27 <redacted>->EventChannel {"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","EventID":"4663","Version":"0","Level":"0","Task":"12800","Opcode":"0","Keywords":"0x8020000000000000","SystemTime":"2019-02-27T13:03:24.390036700Z","EventRecordID":"4525254862","ProcessID":"4","ThreadID":"88","Channel":"Security","Computer":"<redacted>","SeverityValue":"AUDIT_SUCCESS","Message":"An attempt was made to access an object."},"EventData":{"SubjectUserSid":"<redacted>","SubjectUserName":"<redacted>","SubjectDomainName":"<redacted>","SubjectLogonId":"<redacted>","ObjectServer":"Security","ObjectType":"File","ObjectName":"<redacted>","HandleId":"0x27cc","AccessList":"%%4424","AccessMask":"0x100","ProcessId":"0x4","ProcessName":""}}}

Does this mean that there is no rule for these events, so they are simply archived?

[Kevin Branch]

Hi Paul,

First of all let me clarify that current Security Onion setups only use alerts.json and archives.json in the pipeline to Logstash, Elasticsearch, and finally Kibana.  While the legacy and more human-readable alerts.log and archives.log are still being written to at this point, it is just for legacy or debugging purposes.

What you have described is entirely normal.  While Wazuh collects, decodes, and analyzes all events sent from your Wazuh agents, only certain events will actually match one of the 2000+ Wazuh HIDS rules and thus generate alerts written to alerts.json.  Those will still be decoded by Wazuh and written to the archives.json file as parsed JSON records, but with no rule/alert metadata because no rule matched.  Only the events that trip a Wazuh HIDS rule are going to appear in the alerts.json file.  

Note that archives.json actually receives records for both rule-matching events and non-rule-matching events, which I believe makes the alerts.json file redundant.  Every record written to alerts.json is also written in exactly the same way to archives.json.  I would not be surprised if Security Onion eventually completely stops looking at the alerts file on account of this.  

Kevin Branch

Wazuh Trainer

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Paul Siess]

Thanks Kevin for the insights. You have confirmed my suspicion that there are no matching rules. Can you provide a resource for writing custom rules?

[Kevin Branch]

You're welcome, Paul!

This would be a good starting point for rule writing:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

If you start needing to get fancy with custom rules and decoders, you may want to get some training as this is a pretty complex area to go deep with.  There is a 3-day Wazuh training course (via Webex) scheduled for mid April that still has openings.  Check out https://wazuh.com/professional-services for more info. 
Full disclosure: I am Wazuh's primary trainer and maintainer of their training materials.

Kevin