log test pass . alert not logged for eid 1126

59 views
Skip to first unread message

James Camacho

unread,
Aug 11, 2022, 6:18:58 PM8/11/22
to Wazuh mailing list
having issue logging alert id 1126 into wazuh 
Microsoft-Windows-Windows Defender

{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1126","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-08-11T20:41:29.0430704Z","eventRecordID":"23822","processID":"4980","threadID":"7900","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"computer02","severityValue":"WARNING","message":"\"Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.\r\n \tDetection time: 2022-08-11T20:41:29.042Z\r\n \tUser: S-1-5-21-11111111-11111111-11111111-1111\r\n \tDestination: https://smartscreentestratings2.net\r\n \tProcess Name: C:\\Windows\\System32\\curl.exe\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.2205.7","detection Time":"2022-08-11T20:41:29.042Z","user":"S-1-5-21-1111111-1111111-111111-1111","destination":"https://smartscreentestratings2.net","process Name":"C:\\\\Windows\\\\System32\\\\curl.exe"}}}


Rule 

<group name="Defender">
<rule id="666685" level="12">
    <field name="win.system.eventID">^1126$</field>
    <description> Exploit Guard blocked a potentially dangerous network connection</description>
    <options>alert_by_email</options>
</rule>
</group>


rule test output  seems to successfull 

**Phase 1: Completed pre-decoding.    full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1126","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-08-11T20:41:29.0430704Z","eventRecordID":"23822","processID":"4980","threadID":"7900","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"computer02","severityValue":"WARNING","message":"\"Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.\r\n \tDetection time: 2022-08-11T20:41:29.042Z\r\n \tUser: S-1-5-21-11111111-11111111-11111111-1111\r\n \tDestination: https://smartscreentestratings2.net\r\n \tProcess Name: C:\\Windows\\System32\\curl.exe\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.2205.7","detection Time":"2022-08-11T20:41:29.042Z","user":"S-1-5-21-1111111-1111111-111111-1111","destination":"https://smartscreentestratings2.net","process Name":"C:\\\\Windows\\\\System32\\\\curl.exe"}}}' **Phase 2: Completed decoding.    name: 'json'    win.eventdata.destination: 'https://smartscreentestratings2.net'    win.eventdata.detection Time: '2022-08-11T20:41:29.042Z'    win.eventdata.process Name: 'C:\\Windows\\System32\\curl.exe'    win.eventdata.product Name: 'Microsoft Defender Antivirus'    win.eventdata.product Version: '4.18.2205.7'    win.eventdata.user: 'S-1-5-21-1111111-1111111-111111-1111'    win.system.channel: 'Microsoft-Windows-Windows Defender/Operational'    win.system.computer: 'computer02'    win.system.eventID: '1126'    win.system.eventRecordID: '23822'    win.system.keywords: '0x8000000000000000'    win.system.level: '3'    win.system.message: '"Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.    Detection time: 2022-08-11T20:41:29.042Z    User: S-1-5-21-11111111-11111111-11111111-1111    Destination: https://smartscreentestratings2.net    Process Name: C:\Windows\System32\curl.exe "'    win.system.opcode: '0'    win.system.processID: '4980'    win.system.providerGuid: '{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'    win.system.providerName: 'Microsoft-Windows-Windows Defender'    win.system.severityValue: 'WARNING'    win.system.systemTime: '2022-08-11T20:41:29.0430704Z'    win.system.task: '0'    win.system.threadID: '7900'    win.system.version: '0' **Phase 3: Completed filtering (rules).    id: '666685'    level: '12'    description: ' Exploit Guard blocked a potentially dangerous network connection'    groups: '["Defender"]'    firedtimes: '1'    mail: 'true' **Alert to be generated.

does it need a custom decoder? 

victor....@wazuh.com

unread,
Aug 16, 2022, 3:40:49 AM8/16/22
to Wazuh mailing list

Hello jcamachio1982,

Microsoft-Windows-Windows Defender events are collected using evenchannel format. In order to gather those events you should have added in your agent configuration something like this:

<localfile>
    <location>Microsoft-Windows-Windows Defender</location>.
    <log_format>eventchannel</log_format>
</localfile>

This must be taken into account when creating rules and decoders.
In your case, there is no reference that the event should be of this type, so the rule will expect a json event (because the field option has been used).
This can be easily seen if we look at some currently defined Windows Defender rules. For example:

  <!-- Event ID 1002 -->
  <rule id="62109" level="5">
    <if_sid>62101</if_sid>
    <field name="win.system.eventID">^1002$</field>
    <description>Windows Defender: Antimalware scan was stopped before it finished</description>
    <options>no_full_log</options>
    <group>gdpr_IV_35.7.d,pci_dss_10.6.1,pci_dss_5.3,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

This rule makes use of the option if_sid. Using this option, the rule will match when an ID on the list has previously matched. In this case, this rule will trigger when previously the rule 62101 has matched. Notice that the 62101 is the id of the Windows Defender warning event rule.

To make your rule work as expected and create a maintainable ruleset I recommend that you change your rule to:

<group name="Defender">
<rule id="666685" level="12">
   <if_sid>62101</if_sid>
   <field name="win.system.eventID">^1126$</field>
    <description> Exploit Guard blocked a potentially dangerous network connection</description>
    <options>alert_by_email</options>
</rule>
</group>

Using this rule the event will follow this rule hierarchy:
6000 (Windows rules) > 6005 (Defender rules) > 62101 (Defender warning rules) > 666685 (Custom rule)

In order to test your ruleset, please take into account that it is not possible to use logtest for windows events. If you require to perform some testing, it is necessary to change the defined rule 60000 in the file /var/ossec/ruleset/rules/0575-win-base_rules.xml to:

  <rule id="60000" level="0">
    <decoded_as>json</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules</description>
  </rule>

Removing the category option and replacing the decoded_as value. Then, you can use logtest as usual. Remember to change to its original state after your testing is over.

If you have any questions, do not hesitate to ask

Reply all
Reply to author
Forward
0 new messages