No alerts on malware or virus detection.

[Arjun Joshi]

I'm not able to receive any alerts of malware or virus detection. We get alerts for agent queue flooding, or if an application is installed which is not according to wazuh compliance, how do I enable notifications for malware/ virus detection?
Do I need to add something in the API console?

[Othniel Ebolum]

Hi Arjun, 

Thanks for contacting Wazuh, 

Wazuh provides different ways the malware detection capability works, Majorly by checking for signatures of known malware, combining the FIM module with threat detection rules and threat intelligence sources. you can gain more insight from the malware detection documentation.

In the documentation, you can see how you set up rules that can generate alerts for malware detection. you don't need to add anything to the API console.

I am available to make any further clarifications needed.

Best Regards, 

[Arjun Joshi]

Hey Othoniel, thank you for your response. I read through the documentation, and I was not able to create a custom alert. I was looking over the Wazuh dashboard, and I don't know how to add custom rules, be it through JSON or using a query. Can you specifically guide me? 
I know the code, I just don't know where to and how to add a custom alert through my Wazuh Web UI.

[Arjun Joshi]

Please excuse my novice doubts, I'm still new to this. 

Going to Navigation bar > Alerting, there are custom triggers created by the previous wazuh administrator, I want to create something like "Login failed" to send me an alert to my email every time an agent fails the authentication, regardless of the number of agents in the wazuh server. 

On Tuesday, July 18, 2023 at 5:53:25 PM UTC+5:30 Othniel Ebolum wrote:

[Othniel Ebolum]

Hi Arjun, 

This is not a problem, 

You can start by getting familiar with how Wazuh alerts, Wazuh collects logs from monitored endpoints, which it analyzes and matches with present decoders and eventually rules that if a match is found, it will throw up an alert on the dashboard.

Now for email alerts, the email notification is by default disabled in the Wazuh server's ossec configuration file.

which can be found on the dashboard by navigating to Management > Administration > Configuration then click on edit configuration to make changes.

if you are comfortable with the CLI of the Wazuh server then use the root user it is present in the /var/ossec/etc/ossec.conf

then edit the configuration:

<ossec_config>
    <global>
        <email_notification>yes</email_notification>
        <email_to>m...@test.com</email_to>
        <smtp_server>mail.test.com</smtp_server>
        <email_from>wa...@test.com</email_from>
    </global>
</ossec_config>

Also you can add email alerts for specific rule IDs like the failed login as an example which has an already existing rule with id 18106 found within /var/ossec/ruleset/rules/0220-msauth_rules.xml Note: please do not edit this configuration file.

<email_alerts>
  <email_to>y...@example.com</email_to>
  <rule_id>18106</rule_id>
  <do_not_delay />
</email_alerts>

you can gain a guideline and procedures for email notifications here.

For other alerts that are not present by default, you can gain more insights and guides on creating custom decoders and rules for alerts here.

Also our tool: Wazuh-logtest can help you in testing out these rules before fully implementing.

Best Regards, 

[Arjun Joshi]

Hi, the email notifications are already configured, I do receive updates on agents being flooded, and some notifications of malware now, in the past week, there were 3 attacks, and I just had one email notification. The malware notification is a custom alert, which fires sometimes. On the other hand, Login failed custom alert does not seem to fire at all. I checked the configuration of both custom malware and login, they are the same, except for some minor differences. 
Also, I wanted to ask, does wazuh indices included have any impact?

I have tried all documentation, but they are all in linux. I have a Windows machine, not linux. And I want to use Wazuh WUI to solve this issue and create custom alerts. 

[Arjun Joshi]

The rule i.d I'm seeing after an agent fails an authorization is 40704

[Othniel Ebolum]

Hi, Alright I think I understand you better now. the issue may be from the custom rules you have set, you can test them using the  Wazuh-logtest tool I mentioned earlier, Also if you have a sample of the logs generated for the log failure it will aid you better in making sure the parameters set for the rules are correct. If you want you can send the logs and current rule set over and i can see if i can further assist you.

  Also, I wanted to ask, does wazuh indices included have any impact?

this question is unclear. Wazuh has default index patterns already set that correlate analyzed logs to fields etc.. I am unsure if untampered will have anything to do with your rules not triggering.

Finally concerning using the Wazuh wui to solve the issue, I am not familiar with using it on a daily basis, however, researching this is an insightful similar issue and a solution. check it out.
Also, feel free to ask similar questions in our Slack community and find a variety of solutions from similar users.

Best Regards,