Wazuh Sysmon App Opened
Yogi Valentino
This is my rule
<group name="ProcessCreation">
<rule id="101101" level="5">
<if_sid>61603</if_sid>
<field name="win.eventdata.RuleName"></field>
<options>no_full_log</options>
<description>
Sysmon - Event 1: File Opened $(win.eventdata.description).
</description>
</rule>
<rule id="100500" level="10">
<if_sid>101101</if_sid>
<list field="win.eventdata.company" lookup="not_match_key">etc/lists/software-vendors</list>
<description>Sysmon - Event 1: Process $(win.eventdata.description) started but not allowed by the software policy.</description>
<mitre>
<id>T1036</id>
</mitre>
<group>sysmon_event1,software_policy</group>
</rule>
</group>
It is working fine but i want them to just log only the app that opened by agent.
Like if i opened Steam, they log steam and etc. Not something like (in the image). The apps that working in background process.
hasitha.u...@wazuh.com
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
hasitha.u...@wazuh.com
You want your Wazuh and Sysmon setup to generate alerts only for applications that you actively open and run, such as Steam or a web browser, and not for automatic background system processes like Google Updater, Windows Command Processor, or WMI Provider Host that run without user interaction?
I believe you already have a working rule to capture them, but your second rules not work as expected for the logic you intended.
Please share how you added the CDB list by opening this file: nano /var/ossec/etc/lists/software-vendors
Make sure that you have given the permissions to the CDB list.
chmod 660 /var/ossec/etc/lists/software-vendors
chown wazuh:wazuh /var/ossec/etc/lists/
software-vendors.
Please let me know you have added this list in the Wazuh manager ossec.conf file ruleset tag <list>etc/lists/software-vendors</list>
For example:
- ...
- <ruleset>
- <!-- Default ruleset -->
- <decoder_dir>ruleset/decoders</decoder_dir>
- <rule_dir>ruleset/rules</rule_dir>
- <rule_exclude>0215-policy_rules.xml</rule_exclude>
- <list>etc/lists/audit-keys</list>
- <list>etc/lists/amazon/aws-eventnames</list>
- <list>etc/lists/security-eventchannel</list>
- <list>etc/lists/software-vendors</list>
- <!-- User-defined ruleset -->
- <decoder_dir>etc/decoders</decoder_dir>
- <rule_dir>etc/rules</rule_dir>
- </ruleset>
- ...
If the issue is not with the above-mentioned solutions, I need sample logs from archives.json logs. So then I can replicate and share with you the proper resolution.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
Therefore, please share a sample log from archives.json log, so we can assist you further.
Let me know the update on this.