Get Windows Defender logs on Wazuh Manager

mbar...@xmltravelgate.com

unread,

Aug 18, 2017, 7:26:43 AM8/18/17

to Wazuh mailing list

Good morning,

Sorry, I've wasted a lot of time with this issue and I need your light.

I'm trying to get Windows Defender Logs on the Wazuh Manager.

I've changed the configuration on one Windows Wazuh Agent (C:\ossec-agent\ossec.conf) such as:

<!--

Wazuh - Agent - Default configuration for Windows

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

<localfile>

<location>Microsoft-Windows-Windows Defender/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

[...OUTPUT TRUNCATED...]

I've restarted the Wazuh Agent and I can see this information on its logs (C:\ossec-agent\ossec.log):

2017/08/18 11:03:57 ossec-agentd(4102): INFO: Connected to the server (192.168.34.7:1514).

2017/08/18 11:03:58 ossec-agent: INFO: System is Vista or newer (Microsoft Windows Server 2012 Datacenter Edition (full) (Build 9200) - Wazuh v2.0).

2017/08/18 11:03:58 ossec-logcollector(1951): INFO: Analyzing event log: 'Microsoft-Windows-Windows Defender/Operational'.

2017/08/18 11:03:58 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'.

2017/08/18 11:03:58 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'.

2017/08/18 11:03:58 ossec-logcollector(1951): INFO: Analyzing event log: 'System'.

2017/08/18 11:03:58 ossec-logcollector(1950): INFO: Analyzing file: 'C:\ossec-agent\active-response\active-responses.log'.

2017/08/18 11:03:58 ossec-logcollector: INFO: Started (pid: 2624).

I've triggered a false virus using the EICAR test file:

As we expected, we can note some new Alerts on Windows Defender:

So far, everything worked fine but we were not able to see any related alert on the Wazuh Manager (/var/ossec/logs/alerts/alerts.log).

What do we would have to do to get this alert?

Please, let me know whatever further information you could need

Any clue regarding how to fix this matter will be welcoming

Thanks and have a nice weekend.

alberto....@wazuh.com

unread,

Aug 18, 2017, 9:04:47 AM8/18/17

to Wazuh mailing list

Hello Miguel

We developed Rules & Decoders for Windows Defender, specifically those events you're trying to get, as you can see here:

https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml#L457

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0430-ms_wdefender_rules.xml

But these rules and decoders were included in version 2.0.1, Have you this version? You can verify it by:

cat /etc/ossec-init.conf

If your version is 2.0 you'll need upgrade, at least, your ruleset.

Hope it helps,

Best regards,

Alberto R.

Jeremy Larose

unread,

Aug 27, 2017, 11:08:08 AM8/27/17

to Wazuh mailing list

I noticed that Defender in Windows 7 uses code 1006 instead of 1116, maybe 1006 can be included with the decoder as well.

alberto....@wazuh.com

unread,

Aug 28, 2017, 4:01:49 AM8/28/17

to Wazuh mailing list

Hello Jeremy

I see that there are 2 IDs for this event. Thanks, we will try to include the case in our ruleset.

Best regards,

Reply all

Reply to author

Forward