Custom Windows Event Alerts

[John Alvis]

I can't seem to get custom alerts working. I can see it in the archive file in Wazuh. I've added a rules to local_rules.xml. I'm creating a fake Windows event using PowerShell for testing. 

Powershel: Write-EventLog -LogName "Application" -Source "ESENT" -EventID 30011 -EntryType Information -Message "Test app event to see in WAZUH"

The event looks like this in Win Event log.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="ESENT" />
  <EventID Qualifiers="0">30011</EventID>
  <Level>4</Level>
  <Task>1</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2022-04-12T22:47:58.000000000Z" />
  <EventRecordID>332780</EventRecordID>
  <Channel>Application</Channel>
  <Computer>OBRC-BACKUP03.crint.local</Computer>
  <Security />
  </System>
- <EventData>
  <Data>Test app event to see in WAZUH</Data>
  </EventData>
  </Event>



<group name="windows,windows_security">
   <rule id="100013" level="3">
    <field name="win.system.providerName">ESENT</field>
    <field name="win.system.eventID">^30011$</field>
    <options>alert_by_email</options>
    <description>Application Alert Test</description>
    <options>no_full_log</options>
  </rule>
</group>

Also tried looking for a match and alerting.

<rule id="100015" level="3">
     <if_sid>60003</if_sid>
     <match>Test app event to see in WAZUH</match>
     <description>Application Alert Test 2</description>
     <options>no_full_log</options>
  </rule>
</group>

No matter how I setup the rules, it doesn't alert. I read that Window event logs all use decoders that are built into Wazuh so a custom decoder isn't needed. Not sure where to go from here. Any help would be greatly appreciated. 

[Julia Magán Rodríguez]

Hello,

If we test the event generated with /var/ossec/bin/wazuh-logtest, we can see the following output:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-13T15:00:28.972234800Z","eventRecordID":"648","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.data: 'Test app event to see in WAZUH'
    win.system.channel: 'Application'
    win.system.computer: 'WIN-4J5728OKF9H'
    win.system.eventID: '30011'
    win.system.eventRecordID: '648'
    win.system.keywords: '0x80000000000000'
    win.system.level: '4'
    win.system.providerName: 'ESENT'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2022-04-13T15:00:28.972234800Z'
    win.system.task: '1'

**Phase 3: Completed filtering (rules).
    id: '60795'
    level: '0'
    description: 'Group of ESENT events'
    groups: '['windows', 'windows_application']'
    firedtimes: '1'
    mail: 'False'

This event matches with the rule 60795 which has level 0, so the alert is silenced. We can see that rule 60795 groups ESENT events:

<rule id="60795" level="0">
  <if_sid>60600</if_sid>
  <field name="win.system.providerName">^ESENT$</field>
  <options>no_full_log</options>
  <description>Group of ESENT events.</description>
</rule>

Now you can create a custom rule from this previous one using if_sid, for example:

<group name="windows,windows_security">  
   <rule id="100013" level="3">  
    <if_sid>60795</if_sid>  
    <field name="win.system.eventID">^30011$</field>  
    <options>alert_by_email</options>  
    <description>Application Alert Test</description>  
    <options>no_full_log</options>  
  </rule>  
</group>

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-13T15:00:28.972234800Z","eventRecordID":"648","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.data: 'Test app event to see in WAZUH'
    win.system.channel: 'Application'
    win.system.computer: 'WIN-4J5728OKF9H'
    win.system.eventID: '30011'
    win.system.eventRecordID: '648'
    win.system.keywords: '0x80000000000000'
    win.system.level: '4'
    win.system.providerName: 'ESENT'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2022-04-13T15:00:28.972234800Z'
    win.system.task: '1'

**Phase 3: Completed filtering (rules).
    id: '100013'
    level: '3'
    description: 'Application Alert Test'
    groups: '['windows', 'windows_security']'
    firedtimes: '1'
    mail: 'True'
**Alert to be generated.

Or the second one:

<group name="windows,windows_security"> 
  <rule id="100015" level="3">  
     <if_sid>60795</if_sid>  
     <match>Test app event to see in WAZUH</match>  
     <description>Application Alert Test 2</description>  
     <options>no_full_log</options>  
  </rule>  
</group>

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-13T15:00:28.972234800Z","eventRecordID":"648","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.data: 'Test app event to see in WAZUH'
    win.system.channel: 'Application'
    win.system.computer: 'WIN-4J5728OKF9H'
    win.system.eventID: '30011'
    win.system.eventRecordID: '648'
    win.system.keywords: '0x80000000000000'
    win.system.level: '4'
    win.system.providerName: 'ESENT'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2022-04-13T15:00:28.972234800Z'
    win.system.task: '1'

**Phase 3: Completed filtering (rules).
    id: '100015'
    level: '3'
    description: 'Application Alert Test 2'
    groups: '['windows', 'windows_security']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

You can see more info about how to use wazuh-logtest to check your rules here.

​

[John Alvis]

Thank for your response! I added  <if_sid>60795</if_sid> and then ran logtest, I'm not getting a Phase 3. I see Phase 1 and 2 though. Is there something I need to do to turn on local_rules?  Does it matter if I have multiple groups in loca_rules?

Thanks! 

[Julia Magán Rodríguez]

Hello,

This is happening because I had to change the default windows decoders in order to test the event correctly. If I set up the default configuration and run wazuh-logtest I get:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-13T15:00:28.972234800Z","eventRecordID":"648","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}

**Phase 1: Completed pre-decoding.
    full event: '{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-13T15:00:28.972234800Z","eventRecordID":"648","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}'

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.data: 'Test app event to see in WAZUH'
    win.system.channel: 'Application'
    win.system.computer: 'WIN-4J5728OKF9H'
    win.system.eventID: '30011'
    win.system.eventRecordID: '648'
    win.system.keywords: '0x80000000000000'
    win.system.level: '4'
    win.system.providerName: 'ESENT'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2022-04-13T15:00:28.972234800Z'
    win.system.task: '1'

However, if I generate the event as you did before:

Write-EventLog -LogName "Application" -Source "ESENT" -EventID 30011 -EntryType Information -Message "Test app event to see in WAZUH"

We can see that the alert is generated in /var/ossec/logs/alerts/alerts.log:

** Alert 1650272572.776302: mail  - windows,windows_security
2022 Apr 18 09:02:52 (WIN-4J5728OKF9H) any->EventChannel
Rule: 100013 (level 3) -> 'Application Alert Test'
{"win":{"system":{"providerName":"ESENT","eventID":"30011","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2022-04-18T09:02:52.660676800Z","eventRecordID":"671","channel":"Application","computer":"WIN-4J5728OKF9H","severityValue":"INFORMATION"},"eventdata":{"data":"Test app event to see in WAZUH"}}}
win.system.providerName: ESENT
win.system.eventID: 30011
win.system.level: 4
win.system.task: 1
win.system.keywords: 0x80000000000000
win.system.systemTime: 2022-04-18T09:02:52.660676800Z
win.system.eventRecordID: 671
win.system.channel: Application
win.system.computer: WIN-4J5728OKF9H
win.system.severityValue: INFORMATION
win.eventdata.data: Test app event to see in WAZUH

The reason why I had to change the default configuration is that, the windows events that we receive in /var/ossec/logs/archives/archives.log are different from the events that wazuh-analysisd receives, which is in charge of comparing the logs with the rules and generating an alert when they match.

​