Powershell logs are not being sent to the manager

cyber ninjas

unread,

Apr 19, 2023, 4:44:21 PM4/19/23

to Wazuh mailing list

Hello Team,

I am running Wazuh 4.3, and I am trying to ingest PowerShell logs. I have enabled the localfile analysis in the endpoint agent configuration like so:
<localfile>
<location>Microsoft-Windows-PowerShell/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

And I have added the following local rules to /var/ossec/etc/rules/local_rules.xml (I have also tried the values 91802 and 60000 for <if_sid>).

<group name="windows-custom,">

<rule id="100535" level="5">
<if_sid>91801</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell/Operational$</field>
<group>powershell,</group>
<description>Powershell Information EventLog</description>
</rule>

<rule id="100536" level="7">
<if_sid>91801</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell/Operational$</field>
<group>powershell,</group>
<description>Powershell Warning EventLog</description>
</rule>

<rule id="100537" level="10">
<if_sid>91801</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell/Operational$</field>
<field name="win.system.severityValue">^ERROR$</field>
<group>powershell,</group>
<description>Powershell Error EventLog</description>
</rule>

<rule id="100538" level="13">
<if_sid>91801</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell/Operational$</field>
<group>powershell,</group>
<description>Powershell Critical EventLog</description>
</rule>

<rule id="100539" level="12">
<if_sid>91801</if_sid>
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.severityValue">^VERBOSE$</field>
<field name="win.system.eventID">^4104$</field>
<options>no_full_log</options>
<description>PowerShell CommandLine: $(win.eventdata.scriptBlockText)</description>
</rule>

<rule id="100540" level="0">
<if_sid>100539</if_sid>
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.eventdata.scriptBlockText">^prompt$</field>
<options>no_full_log</options>
<description>Group of Windows PowerShell rules</description>
</rule>
</group>

I see the event in Windows Event viewer, but not in the dashboard. I have also checked /var/ossec/logs/archives/archives.json for event 4104, but there are none. I have been using this thread as a guide but still with no results. https://github.com/wazuh/wazuh/issues/10712.

Any guidance you can give is most appreciated, thank you!

Jennifer A.

Bin Do Tuan Anh

unread,

Apr 20, 2023, 2:22:42 PM4/20/23

to Wazuh mailing list

Hi,

The rule 91801 is got triggered when the field win.system.channel is ^Microsoft-Windows-PowerShell/Operational.

So your rules 100535 and 100536 have no additional fields (or any conditions) - it makes these rules needless.

Regarding the Windows Event 4104 - the event is handled by the rule 90507: https://github.com/wazuh/wazuh/blob/704b932a9e768f3c4de90ac9528551f64adf43b1/ruleset/rules/0601-win-vipre_rules.xml#L71-L76

Can you please search for that rule (90507) in your alerts (the file /var/ossec/logs/alerts/alerts.json - the file contains all your alerts during a day)?

Best regards,

Bin.

cyber ninjas

unread,

Apr 21, 2023, 4:27:30 PM4/21/23

to Wazuh mailing list

Hello Bin,

Thank you very much for your response. I’ve read through the alerts.json log for rule #90507; unfortunately, I found none. So I checked the ruleset for that particular one, and it does not seem to be specific to PowerShell:

<rule id="90507" level="6">

<if_sid>60600</if_sid>

<description>The start of the ThreatNet controller failed</description>

</rule>

Am I mistaken in understanding that event 4104 is also handled by other rules? This is the kind of event I am trying to capture in the alerts and dashboard, but without success:

Level Date and Time Source Event ID Task Category
Verbose 4/21/2023 3:36:18 PM Microsoft-Windows-PowerShell 4104 Execute a Remote Command "Creating Scriptblock text (1 of 1):
.\parseNIST.py SSA-321292

ScriptBlock ID: 3e1968a5-b7b5-4d1e-b7f1-05679acb3b17
Path: "