Filter noisy Windows Events - best pratice

759 views

Skip to first unread message

Marco

unread,

Aug 23, 2022, 11:41:55 AM8/23/22

to wa...@googlegroups.com

Hi all,

I'd like to filter out some noisy recurring windows events that get often fired by windows clients. Not sure what will be the best approach to do this.

For instance I have this json event and want to select the following matching criteria.

If processName and subjectUserName and privilegeList are matching do not send this to wazuh manager. Where do I set this? Groups=>files=>agents.conf ?

Thanks for any help.


  "_index": "wazuh-alerts-4.x-2022.08.23",
  "_type": "_doc",
  "_id": "RZc-y4IBMk0islnOdCL0",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "XXXXXXXXXXX",
      "name": "XXXXXXXX",
      "id": "022"
    },
    "manager": {
      "name": "XXXXXXXXXX"
    },
    "data": {
      "win": {
        "eventdata": {
          "subjectLogonId": "0x11be23",
          "subjectUserSid": "xxxxxxxxxxxxxxxxxxxxxxx",
          "processId": "0x4888",
          "processName": "C:\\\\Program Files (x86)\\\\National Instruments\\\\NI Device Monitor\\\\DeviceMonitor.exe",
          "subjectDomainName": "XXXXXX",
          "objectServer": "Security",
          "privilegeList": "SeTcbPrivilege",
          "subjectUserName": "XXXXX"
        },
        "system": {
          "eventID": "4673",
          "keywords": "0x8010000000000000",
          "providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "level": "0",
          "channel": "Security",
          "opcode": "0",
          "message": "\"Ein privilegierter Dienst wurde aufgerufen.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-1571561004-1390823723-312552118-2424\r\n\tKontoname:\t\tXXX\r\n\tKontodomäne:\t\tXXXX\r\n\tAnmelde-ID:\t\t0x11BE23\r\n\r\nDienst:\r\n\tServer:\tSecurity\r\n\tDienstname:\t-\r\n\r\nProzess:\r\n\tProzess-ID:\t0x4888\r\n\tProzessname:\tC:\\Program Files (x86)\\National Instruments\\NI Device Monitor\\DeviceMonitor.exe\r\n\r\nDienstanforderungsinformationen:\r\n\tBerechtigungen:\t\tSeTcbPrivilege\"",
          "version": "0",
          "systemTime": "2022-08-23T15:07:22.0744198Z",
          "eventRecordID": "9154671",
          "threadID": "20560",
          "computer": "XXXXXX",
          "task": "13056",
          "processID": "4",
          "severityValue": "AUDIT_FAILURE",
          "providerName": "Microsoft-Windows-Security-Auditing"
        }
      }
    }

Many thanks.

Regards

Marco

Tomas Benitez Vescio

unread,

Aug 23, 2022, 1:30:10 PM8/23/22

to Wazuh mailing list

Hi,

Thanks for using Wazuh!

If you want to filter out a specific event matching a particular condition you can do so by creating a rule on windows Agent´s ossec.conf or agent.conf if you are using a centralized configuration. You would want to set the rule level to 0 (so to indicate that you want to ignore that event) and in field_name you could use a regular expression to match the condition you want. You can check out how to use regular expressions and rules syntax in the following links: Regular Expressions and Rules Syntax. Also, you can refer to the following thread to see a similar case and a possible solution with examples.