Microsoft-Windows-Security-Auditing

[Adiel Jesus Navarro Rosado]

Why I cannot see any alert for Microsoft-Windows-Security-Auditing EventId 4688?

 

Checking the ossec.conf for Wndows agent I can see the next configuration:

 

 

[Jose Luis Ruiz]

Hi Adiel,

I hope you are doing well today...

Probably you have no alerts with this ID B\because you have not any rule matching with this EventID

/var/ossec/ruleset/rules/0220-msauth_rules.xml

Take a look the previous file, review if you have any alert matching with the ID 4688, probably not, so you can add a new rule in your local_rules.xml matching this ID.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

As OpenSource project if you think that this ID is necessary you can always send a pull request to the following repository:

https://github.com/wazuh/wazuh-ruleset

I hope it helps.

Regards

----------------

Jose Luis Ruiz

@jlruizmlg

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7c5950a23fd9497da9d455b025179641%40RLEXTL04.amx.net.
For more options, visit https://groups.google.com/d/optout.

[alberto....@wazuh.com]

Hello Adiel

  In addition to this, you can add the following rule into the file "local_rules.xml": 

<group name="windows_custom_example,">

  <rule id="100102" level="5">
    <if_sid>18104</if_sid>
    <id>4688</id>
    <description>New process created (example)</description>
  </rule>

</group>

With this rule, you will be able to see the alerts of the event 4688. Please take into account that you must configure your Windows in order to audit this kind of event: the new processes creation. 

Hope it help.

Best regards, 

Alberto R. 

On Wednesday, August 15, 2018 at 10:18:49 PM UTC+2, Jose Luis Ruiz wrote:

Hi Adiel,

I hope you are doing well today...

Probably you have no alerts with this ID B\because you have not any rule matching with this EventID

/var/ossec/ruleset/rules/0220-msauth_rules.xml

Take a look the previous file, review if you have any alert matching with the ID 4688, probably not, so you can add a new rule in your local_rules.xml matching this ID.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

As OpenSource project if you think that this ID is necessary you can always send a pull request to the following repository:

https://github.com/wazuh/wazuh-ruleset

I hope it helps.

Regards

----------------

Jose Luis Ruiz

@jlruizmlg

www.wazuh.com

On August 15, 2018 at 12:10:39 PM, Adiel Jesus Navarro Rosado (adiel....@telcel.com) wrote:

Why I cannot see any alert for Microsoft-Windows-Security-Auditing EventId 4688?

 

Checking the ossec.conf for Wndows agent I can see the next configuration:

 

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.