File monitoring in windows
245 views
Skip to first unread message
Thaynara Soares
Mar 21, 2025, 2:56:07 PM3/21/25
to Wazuh | Mailing List
Hello, I have two questions. My environment currently has more than 900 agents and I am monitoring 3 folders in Windows and I received this message.
The maximum limit of files monitored has been reached. At this moment there are 100000 files and the limit is 100000. From this moment some events can be lost. You can modify this setting in the centralized configuration or locally in the agent.
-What can I do to increase this?
-Another question is that I want to receive an alert when a file has the title written (Password). How do I create a rule for this?
The maximum limit of files monitored has been reached. At this moment there are 100000 files and the limit is 100000. From this moment some events can be lost. You can modify this setting in the centralized configuration or locally in the agent.
-What can I do to increase this?
-Another question is that I want to receive an alert when a file has the title written (Password). How do I create a rule for this?
Isaiah Daboh
Mar 21, 2025, 3:34:58 PM3/21/25
to Wazuh | Mailing List
Hello,
File limit can be increased by adding or editing the <file_limit> sub-section under <syscheck> in ossec.conf.
Step 1: Open C:\Program Files (x86)\ossec-agent\ossec.conf in your text editor.
Step 1: Open C:\Program Files (x86)\ossec-agent\ossec.conf in your text editor.
Step 2: Locate the <syscheck> section.
Step 3: create the <file_limit> sub-section or modify existing <file_limit> sub-section as follows:
<!-- Maximum number of files to be monitored -->
<file_limit>
<enabled>yes</enabled>
<entries>100000</entries>
</file_limit>
<file_limit>
<enabled>yes</enabled>
<entries>100000</entries>
</file_limit>
Save and Restart Wazuh-agent for changes to apply.
Please confirm if the files you are looking out for are in one of the location monitored for changes for me to assist further.
Regards
Thaynara Soares
Mar 21, 2025, 4:33:20 PM3/21/25
to Wazuh | Mailing List
I understand, thank you, I will make this change, and regarding creating the rule to alert when a file has the title written (Password). How do I create a rule for this? I am already monitoring some Windows folders
Message has been deleted
Thaynara Soares
Mar 25, 2025, 1:42:47 PM3/25/25
to Wazuh | Mailing List
In fact, I'm now using this rule and it didn't give a syntax error, but the regex doesn't seem to work because I did a test and it didn't generate an alert in rule 100021.
<group name="ossec,">
<rule id="100021" level="7">
<if_sid>550</if_sid>
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<field name="syscheck.path" type="pcre2">(?i)(\\|\/)(password|senha|passwd|credencial|login|secret|hash)[^\\\/]*\.\w+$</field>
<description>File with sensitive name detected</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<rule id="100021" level="7">
<if_sid>550</if_sid>
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<field name="syscheck.path" type="pcre2">(?i)(\\|\/)(password|senha|passwd|credencial|login|secret|hash)[^\\\/]*\.\w+$</field>
<description>File with sensitive name detected</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Em segunda-feira, 24 de março de 2025 às 14:25:24 UTC-4, Thaynara Soares escreveu:
I created this rule but it is not accepting the regex part
<!-- RULE FOR MATCHING FILE TITLES -->
<group name="ossec,">
<rule id="100021" level="7">
<if_sid>550</if_sid>
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<field name="syscheck.path">\\[^\\]*\\(password|senha|passwd|credencial|login|secret|hash)[^\\]*$</field>
<description>Arquivo com senha no titulo detectado no Windows</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>-It's giving this errorError: Could not upload rule (1113) - XML syntax error
Isaiah Daboh
Mar 26, 2025, 3:51:18 PM3/26/25
to Wazuh | Mailing List
Hello,
<description>File with sensitive name detected</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Please can you try this rule instead and see if this detects any password.anyextension?
<group name="ossec,">
<rule id="100021" level="7">
<if_sid>550</if_sid>
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<rule id="100021" level="7">
<if_sid>550</if_sid>
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<field name="syscheck.path" type="pcre2">
(?i)password\.* </field>
<description>File with sensitive name detected</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Regards,
Thaynara Soares
Mar 26, 2025, 4:00:50 PM3/26/25
to Wazuh | Mailing List
I did it this way and it worked. I can receive the alert.
<group name="arquivos,">
<rule id="100022" level="7">
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>File with sensitive name detected</description>
</rule>
</group>
<group name="arquivos,">
<rule id="100022" level="7">
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>File with sensitive name detected</description>
</group>
-However, I noticed that with my monitoring like this:
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Documents</directories>
</syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Documents</directories>
</syscheck>
I couldn't monitor when the folder is like this
C:\Users\thaynara\OneDrive - mt\Documentos
I tried to put it this way and it's not working, do you have any idea what could be wrong?
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\OneDrive - *\Documents</directories>
</syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\OneDrive - *\Documents</directories>
</syscheck>
Isaiah Daboh
Mar 28, 2025, 2:20:31 PM3/28/25
to Wazuh | Mailing List
Hello,
Try to have it this way instead:
<syscheck>
<directories check_all="yes" realtime="yes">C:\\Users\\*\\Documents"</directories>
</syscheck>
<directories check_all="yes" realtime="yes">C:\\Users\\*\\Documents"</directories>
</syscheck>
or
<syscheck>
<directories check_all="yes" realtime="yes">C:\\Users\\*\\OneDrive - *\\Documents</directories>
</syscheck>
<directories check_all="yes" realtime="yes">C:\\Users\\*\\OneDrive - *\\Documents</directories>
</syscheck>
Regards
Thaynara Soares
Apr 2, 2025, 12:42:01 PM4/2/25
to Wazuh | Mailing List
It didn't work that way
Thaynara Soares
Apr 2, 2025, 12:43:00 PM4/2/25
to Wazuh | Mailing List
Hi, I have a question. I checked the Wazuh documentation for other forms of auditing.
<syscheck>
<directories check_all="yes" whodata="yes" report_changes="yes">C:\Users\*\Downloads</directories>
</syscheck>
However, the rule I am currently using only works with this type of monitoring.
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
</syscheck>
Rule used:
<group name="arquivos,">
<rule id="100020" level="7">
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>File with sensitive name detected</description>
</rule>
</group>
Do you know why this happens?
<syscheck>
<directories check_all="yes" whodata="yes" report_changes="yes">C:\Users\*\Downloads</directories>
</syscheck>
However, the rule I am currently using only works with this type of monitoring.
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
</syscheck>
Rule used:
<group name="arquivos,">
<rule id="100020" level="7">
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>File with sensitive name detected</description>
</rule>
</group>
Do you know why this happens?
Isaiah Daboh
Apr 7, 2025, 3:53:34 AM4/7/25
to Wazuh | Mailing List
Hello,
Trying to understand your ask, please do you have a use case for another type of monitoring. That will help with troubleshooting why it didn't work in your environment.
Regards
Thaynara Soares
Apr 10, 2025, 2:52:42 PM4/10/25
to Wazuh | Mailing List
The issue is when I put the parameter whodata="yes" report_changes="yes" the log comes in a different way and my created rule is not triggered, which would be this:
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>Arquivo com nome confidencial detectado</description>
</rule>
</group>
</rule>
</group>
Can you tell me why my rule works when monitoring is in realtime and when I put this parameter (whodata="yes" report_changes="yes") it doesn't work?
Isaiah Daboh
Apr 10, 2025, 5:03:24 PM4/10/25
to Wazuh | Mailing List
Hello,
Kindly share the new format the report comes in so that it can be investigated further.
Note: Please mask any sensitive info or replace them with dummy.
Regards,
Message has been deleted
Thaynara Soares
Apr 10, 2025, 5:59:25 PM4/10/25
to Wazuh | Mailing List
Thaynara Soares
Apr 10, 2025, 6:01:48 PM4/10/25
to Wazuh | Mailing List
I can't get the diff part in my rule
Isaiah Daboh
Apr 15, 2025, 8:03:44 AM4/15/25
to Wazuh | Mailing List
Hello,
Please can you share the full_log from the real-time and who-data logs as text masking sensitive information?
I can see the syscheck.diff from the image you shared. Please can you elaborate on '
I can't get the diff part in my rule'?
Regards,
Thaynara Soares
Apr 15, 2025, 4:05:39 PM4/15/25
to Wazuh | Mailing List
{
"_index": "wazuh-alerts-4.x-2025.03.31",
"_id": "FZu--7qG",
"_score": 1,
"_source": {
"syscheck": {
"size_before": "18",
"uname_after": "***",
"mtime_after": "2025-03-31",
"size_after": "24",
"md5_before": "8a73f8",
"diff": "---\n> oiii\n",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES",
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
]
],
"name": "SISTEMA"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administradores"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "***"
}
],
"sha256_before": "**",
"mtime_before": "2025-03-31",
"mode": "whodata",
"path": "c:\\users\\***\\downloads\\senha.txt",
"sha1_after": "***",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"audit": {
"process": {
"name": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad",
"id": "118"
},
"user": {
"name": "***",
"id": "S-1-5-2-40654"
}
},
"attrs_after": [
"ARCHIVE"
],
"uid_after": "************",
"event": "modified",
"md5_after": "d02809",
"sha1_before": "1a0db94",
"sha256_after": "0d72e"
},
"agent": {
"ip": "**.**.**.**",
"name": "***",
"id": "006"
},
"manager": {
"name": "wazuh-hmg"
},
"rule": {
"mail": true,
"level": 7,
"pci_dss": [
"11.5"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "Integrity checksum changed.",
"groups": [
"ossec",
"syscheck",
"syscheck_entry_modified",
"syscheck_file"
],
"nist_800_53": [
"SI.7"
],
"gdpr": [
"II_5.1.f"
],
"firedtimes": 3,
"mitre": {
"technique": [
"Stored Data Manipulation"
],
"id": [
"T1565.001"
],
"tactic": [
"Impact"
]
},
"id": "550",
"gpg13": [
"4.11"
]
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"full_log": "File 'c:\\users\\*8*\\downloads\\senha.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '18' to '24'\nOld modification time was: '230', now it is '14351'\nOld md5sum was: '19cef8'\nNew md5sum is : 'd85a89'\nOld sha1sum was: '10614'\nNew sha1sum is : '026bb'\nOld sha256sum was: 'a64c'\nNew sha256sum is : '0d61e'\n",
"input": {
"type": "log"
},
"@timestamp": "2025-03-31T",
"location": "syscheck",
"id": "****",
"timestamp": "2025-03-31"
},
"fields": {
"syscheck.mtime_after": [
"2025-03-31"
],
"syscheck.mtime_before": [
"2025-03-31"
],
"timestamp": [
"2025-03-31"
],
"@timestamp": [
"2025-03-31T
]
"_index": "wazuh-alerts-4.x-2025.03.31",
"_id": "FZu--7qG",
"_score": 1,
"_source": {
"syscheck": {
"size_before": "18",
"uname_after": "***",
"mtime_after": "2025-03-31",
"size_after": "24",
"md5_before": "8a73f8",
"diff": "---\n> oiii\n",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES",
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
]
],
"name": "SISTEMA"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administradores"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "***"
}
],
"sha256_before": "**",
"mtime_before": "2025-03-31",
"mode": "whodata",
"path": "c:\\users\\***\\downloads\\senha.txt",
"sha1_after": "***",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"audit": {
"process": {
"name": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad",
"id": "118"
},
"user": {
"name": "***",
"id": "S-1-5-2-40654"
}
},
"attrs_after": [
"ARCHIVE"
],
"uid_after": "************",
"event": "modified",
"md5_after": "d02809",
"sha1_before": "1a0db94",
"sha256_after": "0d72e"
},
"agent": {
"ip": "**.**.**.**",
"name": "***",
"id": "006"
},
"manager": {
"name": "wazuh-hmg"
},
"rule": {
"mail": true,
"level": 7,
"pci_dss": [
"11.5"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "Integrity checksum changed.",
"groups": [
"ossec",
"syscheck",
"syscheck_entry_modified",
"syscheck_file"
],
"nist_800_53": [
"SI.7"
],
"gdpr": [
"II_5.1.f"
],
"firedtimes": 3,
"mitre": {
"technique": [
"Stored Data Manipulation"
],
"id": [
"T1565.001"
],
"tactic": [
"Impact"
]
},
"id": "550",
"gpg13": [
"4.11"
]
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"full_log": "File 'c:\\users\\*8*\\downloads\\senha.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '18' to '24'\nOld modification time was: '230', now it is '14351'\nOld md5sum was: '19cef8'\nNew md5sum is : 'd85a89'\nOld sha1sum was: '10614'\nNew sha1sum is : '026bb'\nOld sha256sum was: 'a64c'\nNew sha256sum is : '0d61e'\n",
"input": {
"type": "log"
},
"@timestamp": "2025-03-31T",
"location": "syscheck",
"id": "****",
"timestamp": "2025-03-31"
},
"fields": {
"syscheck.mtime_after": [
"2025-03-31"
],
"syscheck.mtime_before": [
"2025-03-31"
],
"timestamp": [
"2025-03-31"
],
"@timestamp": [
"2025-03-31T
]
Thaynara Soares
Apr 15, 2025, 4:09:40 PM4/15/25
to Wazuh | Mailing List
And regarding the second question, sorry for not having written it in a better way to understand, I want my created rule to already check the diff part to check if those words mentioned in the rule exist in that field.
<if_sid>550</if_sid>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<match type="pcre2">(?i)(?:^|[\\])([^\\]*?\b(password|senha|passwd|credencial|login|secret|hash)\b[^\\]*)$</match>
<description>Arquivo com nome confidencial detectado</description>
</rule>
</group>
</rule>
</group>
How can I make the change to my rule above to work with this new specification?
Isaiah Daboh
Apr 17, 2025, 7:24:47 AM4/17/25
to Wazuh | Mailing List
Hello,
"md5_before": "8a73f8",
"diff": "---\n> oiii\n",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL"
Thanks for the clarification, now I understand.
You want the rule to trigger based on the content of 'diff'. However, I do not see any of those words in the diff you shared, was this masked?
`(password|senha|passwd|credencial|login|secret|hash`
```
{
"_index": "wazuh-alerts-4.x-2025.03.31",
"_id": "FZu--7qG",
"_index": "wazuh-alerts-4.x-2025.03.31",
"_id": "FZu--7qG",
.
.
.
"md5_before": "8a73f8",
"diff": "---\n> oiii\n",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL"
```
Regards,
Thaynara Soares
Apr 23, 2025, 1:08:36 PM4/23/25
to Wazuh | Mailing List
Yes, it was just an example, as I did it a few days ago I couldn't find it to send, but do you know how I can make it work that way?
Isaiah Daboh
Apr 24, 2025, 2:25:41 PM4/24/25
to Wazuh | Mailing List
Hello,
Everything looks fine from what you have shared.
However, I need to be able to reproduce this so that I can adapt the rule to suit your logs, so I need you to share a sample 'diff' with the regex you want to match.
Kindly share as text masking any sensitive info aside the regex you want to match.
Kindly share as text masking any sensitive info aside the regex you want to match.
Regards
Reply all
Reply to author
Forward
0 new messages