Wazuh Rule Syntax - logging winevent 4688

[Ренат Ондар]

Hello team!

So I want to track event 4688 (process creation). 
I researched how to do that and found good example here https://groups.google.com/g/wazuh/c/tfl6Fq4WHS0

I have created local rule in /var/ossec/etc/rules/local_rules.xml 

<group name="testwinevent">
  <rule id="100047" level="6">
    <field name="win.system.eventID">4688</field>
    <description>Windows Event ID 4688 - Process Creation</description>
  </rule>
</group>

And restarted wazuh manager.
Unfortunately, I tried to test it with tool wazuh-logtest and its not working.
I put example of my 4688 log to attachment. 
The output of wazuh-logtest tool giving me just 

**Phase 2: Completed decoding.
        name: 'json'

And nothing more. 

I also tested log in GUI tool Ruleset Test. So here as I can see this tool fully parsed all of the fields.

I will appreciate all the insights.

[Nicolas Agustin Guevara Pihen]

Hello Ренат, hope you are well. 

The look that you are using to test doesn't look like the EventChannel logs that Wazuh uses. You could try to obtain the correct log doing the following steps: 

• Enable logall, in /var/ossec/etc/ossec.conf, modify the <logall_json> option to yes. This will make Wazuh store all the logs that it receives. 
• Restart the manager and reproduce the event in the agent. 
• Verify the /var/ossec/logs/archives/archives.json to search for the log. You can use cat /var/ossec/logs/archives/archives.json | grep 4688 to search only the logs that contains that number. 
• The log that you will find is a json with several fields. You need to copy the content of the full_log field (note that it may have some escaped characters, i.e. \", in that case, remove the \. 
• Test that on the logtest. If you are using the correct log, it will decode the fields (even if the rule is not correct). You should see something like
  
  

• **Phase 2: Completed decoding.
          name: 'json'
  

•         win.eventdata.logonType: '7'
          win.eventdata.targetDomainName: 'TEST-PC'
          win.eventdata.targetLogonId: '0x3aa7649'
          win.eventdata.targetUserName: 'test'
          win.eventdata.targetUserSid: 'S-1-5-21-1479626784-3650196963-2719721884-1001'
          win.system.channel: 'Security'
         ...

Once you have that, you will know which log use to test it, but the rule will still not trigger on the logtest. That is because by default the logtest is not able to test the logs that comes via eventchannel. However there is a workaround: 

• Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml
  
• Modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.
  
  <rule id="60000" level="0">
      <decoded_as>json</decoded_as>
      <field name="win.system.providerName">\.+</field>
      <options>no_full_log</options>
      <description>Group of windows rules.</description>
    </rule>
  
  
• Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest. 
  
• WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes. 
  

I hope you find this information helpful!
Regards,

[Renat Ondar]

Nicolas, Hello and thank you! 
That worked for me!

четверг, 12 октября 2023 г. в 18:12:05 UTC+3, Nicolas Agustin Guevara Pihen: