How to configure seperate syschck for FIM and VirusTotal

124 views
Skip to first unread message

ismailctest C

unread,
Feb 28, 2024, 5:58:52 AM2/28/24
to Wazuh | Mailing List
Hi Team,
We have integrated the virus total and given the group name is syscheck.
We need to ignore the below path from Virus total scanning without affecting FIM HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS

Do we have any option to create a separate new group syscheck1 for VirusTotal

Please find the below existing configuration:
 <!-- Virus Total -->
 <integration>
   <name>virustotal</name>
 <api_key>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</api_key>
   <group>syscheck</group>
   <alert_format>json</alert_format>
 </integration>

Md. Nazmur Sakib

unread,
Feb 28, 2024, 6:55:21 AM2/28/24
to Wazuh | Mailing List
Hi  Ismailctest,

Hope you are doing well. 

I am looking at your query. Please allow me a few minutes. I will get back to you soon.

Md. Nazmur Sakib

unread,
Feb 28, 2024, 8:08:16 AM2/28/24
to Wazuh | Mailing List
Hi

This can be achieved with the following workaround 

You can overwrite the default FIM rules and add the syscheck1 in the group.


  <rule id="550" level="7" overwrite="yes">

    <category>ossec</category>

    <decoded_as>syscheck_integrity_changed</decoded_as>

    <description>Integrity checksum changed.</description>

    <mitre>

      <id>T1565.001</id>

    </mitre>

    <group>syscheck,syscheck1,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>


  <rule id="553" level="7" overwrite="yes">

    <category>ossec</category>

    <decoded_as>syscheck_deleted</decoded_as>

    <description>File deleted.</description>

    <mitre>

      <id>T1070.004</id>

      <id>T1485</id>

    </mitre>

    <group>syscheck,syscheck1,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>


  <rule id="554" level="5" overwrite="yes">

    <category>ossec</category>

    <decoded_as>syscheck_new_entry</decoded_as>

    <description>File added to the system.</description>

    <group>syscheck,syscheck1,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>

Ref:https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule



Next, write custom rules to trigger a different rule for the  Where the 

syscheck.path is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS



And add this rule 


<group name="custom, ">

  <rule id="100500" level="5">

    <if_sid>parent_rule_ID</if_sid>


Where the 

syscheck.path is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS


<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>

</group>


Check this document to get help with regex and rule syntax 

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html


https://documentation.wazuh.com/current/user-manual/ruleset/custom.html


Next, use the syscheck1 in the Viroustotal configuration. In this way, you can all FIM alerts will have syscheck1 group field but for the particular path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS the group information will not be available.


I hope this solves your issue. Let me know if you need any further help.

ismailctest C

unread,
Feb 29, 2024, 2:19:37 AM2/29/24
to Wazuh | Mailing List
Hi,
Is it possible to create a separate group 'syscheck1' for VirusTotal and keep syscheck group for FIM .
Note: No need to change anything in syscheck group.

Md. Nazmur Sakib

unread,
Feb 29, 2024, 3:52:14 AM2/29/24
to Wazuh | Mailing List

Hi Ismailctest, There is no easy way to achieve this. The workaround will not create any conflict with the syscheck group for FIM this will only additionally add the syscheck1 group to all the FIM alerts that are not from the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS folder.


For VSS folder FIM alerts. Everything will be the same as before it will only change the rule-id and and new syscheck1 group will not added.


For example, Using the following custom rules file  I have replicated the similar for c:\users\user\documents folder 




<group name="ossec,">  

   <rule id="100550" level="7">

    <if_sid>550</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

  <description>Integrity checksum changed.</description>


    <mitre>


      <id>T1565.001</id>


    </mitre>


    <group>syscheck,syscheck1,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>




  </rule>




   <rule id="100553" level="7">

    <if_sid>553</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

     <description>File deleted.</description>


    <mitre>


      <id>T1070.004</id>


      <id>T1485</id>


    </mitre>


    <group>syscheck,syscheck1,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>


  </rule> 


  <rule id="100554" level="5">

    <if_sid>554</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

    <description>File added to the system.</description>


    <group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>


  </rule>


</group>  


Check the difference in the group name.



The filter I have used in the rule is 


 <field name="file">c:\\users\\user\\documents\\\.*</field>


You need to modify the value with your file path. And all other things will be the same.

Check this document to learn more about the rules:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html

Next, use the syscheck1 group in the Virustotal configuration.


 <integration>

    <name>virustotal</name>

    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!-- Replace with your VirusTotal API key -->

    <group>syscheck1</group>

    <alert_format>json</alert_format>

  </integration>


Let me know if this solves your issue or if you need any further help.

ismailctest C

unread,
Feb 29, 2024, 6:22:36 AM2/29/24
to Wazuh | Mailing List
Hi,
I apologize for the bothersome question again.

The VirusTotal configuration has been completed and working fine.
We use the free VirusTotal API, so we have a limit (Getting this error, Public API request rate limit reached)
Upon inspection, we find that many of the requests have taken this path. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS
Thus, we intend to attempt to ignore this path from the VirusTotal complete scan.

Please let us know what is the easiest way to ignore this path for VirusTotal scanning only. ( HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS )

Md. Nazmur Sakib

unread,
Feb 29, 2024, 7:50:48 AM2/29/24
to Wazuh | Mailing List

Hi Ismailctest,


I understand what you are trying to achieve. There is no easy way to do it, you need to create custom rules to achieve this.


Filter option are for integration are:


  • level:  This filters alerts by rule level

  • rule_id:  This filters alerts by rule ID 

  • group:  This filters alerts by rule group

  • Event_location: This filters alerts by where the event originated.


You can either use the above workaround with groups or use the below workaround with rules.


<group name="ossec,">  

  

   <rule id="100550" level="7">

    <if_sid>550</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

  <description>Integrity checksum changed.</description>

    <mitre>

      <id>T1565.001</id>

    </mitre> <group>syscheck,syscheck1,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>




   <rule id="100553" level="7">

    <if_sid>553</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

     <description>File deleted.</description>

    <mitre>

      <id>T1070.004</id>

      <id>T1485</id>

    </mitre>    <group>syscheck,syscheck1,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule> 




  <rule id="100554" level="5">

    <if_sid>554</if_sid>

    <field name="file">c:\\users\\user\\documents\\\.*</field>

    <description>File added to the system.</description>

<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>



</group>  


So This will generate different alert IDs for your specific file location and use the FIM alert IDs in Virustotal.


 <integration>

    <name>virustotal</name>

    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!-- Replace with your VirusTotal API key -->

    <rule_id>550,553,554</rule_id>

    <alert_format>json</alert_format>

  </integration>


Let me know if this works for you.

Md. Nazmur Sakib

unread,
Mar 1, 2024, 7:03:05 AM3/1/24
to Wazuh | Mailing List
Hi Ismailctest,


Let me know if you need any further help.
Reply all
Reply to author
Forward
0 new messages