Generation of Wazuh rules on Windows event Channel logs (With no parent Rule)
697 views
Skip to first unread message
taimur ahmed
Sep 18, 2023, 6:45:32 AM9/18/23
to Wazuh | Mailing List
Hi! I want to generate an alert for a windows 16 server endpoint for an ssh login. So I am getting the logs in the archive index decoded via the default json decoder as shown in the picture attached. The logtest shows that no parent rule is being triggered for such event. The configuration at agent side is:
<localfile>
<location>OpenSSH/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
The rule I wrote is given below:
<group name="win_server_16">
<rule id="100411" level="5">
<if_sid>60000</if_sid>
<!-- <field name="win.system.providerName">OpenSSH$</field> -->
<!-- <location>EventChannel</location> -->
<field name="win.system.channel">^OpenSSH/Operational$</field>
<!-- <field name="win.system.providerName">^OpenSSH$</field> -->
<!-- <field name="win.eventdata.process">^sshd$</field> -->
<!-- <description>$(win.system.message)</description> -->
<description>SSH LOG DETACTED</description>
</rule>
</group>
Log_JSON:
{"win":{"system":{"providerName":"OpenSSH","providerGuid":"{C4B57D35-0636-4BC3-A262-370F249F9802}","eventID":"4","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000000000000000","systemTime":"2023-09-18T08:23:58.493470400Z","eventRecordID":"15","processID":"1620","threadID":"1892","channel":"OpenSSH/Operational","computer":"WIN-72J08VIAJ0E","severityValue":"INFORMATION","message":"\"sshd: Accepted password for Administrator from 192.168.0.122 port 52866 ssh2\""},"eventdata":{"process":"sshd","payload":"Accepted password for Administrator from 192.168.0.122 port 52866 ssh2"}}}
Kindly guide me how to solve it. Thanks!
<localfile>
<location>OpenSSH/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
The rule I wrote is given below:
<group name="win_server_16">
<rule id="100411" level="5">
<if_sid>60000</if_sid>
<!-- <field name="win.system.providerName">OpenSSH$</field> -->
<!-- <location>EventChannel</location> -->
<field name="win.system.channel">^OpenSSH/Operational$</field>
<!-- <field name="win.system.providerName">^OpenSSH$</field> -->
<!-- <field name="win.eventdata.process">^sshd$</field> -->
<!-- <description>$(win.system.message)</description> -->
<description>SSH LOG DETACTED</description>
</rule>
</group>
Log_JSON:
{"win":{"system":{"providerName":"OpenSSH","providerGuid":"{C4B57D35-0636-4BC3-A262-370F249F9802}","eventID":"4","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000000000000000","systemTime":"2023-09-18T08:23:58.493470400Z","eventRecordID":"15","processID":"1620","threadID":"1892","channel":"OpenSSH/Operational","computer":"WIN-72J08VIAJ0E","severityValue":"INFORMATION","message":"\"sshd: Accepted password for Administrator from 192.168.0.122 port 52866 ssh2\""},"eventdata":{"process":"sshd","payload":"Accepted password for Administrator from 192.168.0.122 port 52866 ssh2"}}}
Kindly guide me how to solve it. Thanks!
Ifeanyi Onyia Odike
Sep 18, 2023, 10:24:17 AM9/18/23
to Wazuh | Mailing List
Hi Taimur,
Thank you for using Wazuh!
Please give me some time to go through the query and devise a solution for it.
Please give me some time to go through the query and devise a solution for it.
Regards,
Ifeanyi Onyia Odike
Sep 18, 2023, 11:51:52 AM9/18/23
to Wazuh | Mailing List
Hi Taimur,
Thanks for your patience.
To test this rule, please follow the procedure outline in this thread: Wazuh Ruleset Test with Windows Event Logs
An example of where this was used is here: Test Windows events rules.
Please let me know if the rule works for your use case.
Regards,
On Monday, September 18, 2023 at 11:45:32 AM UTC+1 taimur ahmed wrote:
Reply all
Reply to author
Forward
0 new messages