Assist to build decoders | CEF logs

[Gal Akavia]

Hi all,

After many hours trying to build decoders for trend micro apex central CEF logs with wazuh im a little blocked..

I'm using wazuh all-in-one 4.1.5 like a year and im gratefull for this app so..thanks!

While trying i was watching 2-3 videos about wazuh and decoders, also i read a lot from the docs about decoders, sibling decoders, syntax, wazuh-regex, wazuh-logtest etc. & im like familiar with more of wazuh capabilities so i really tried but still im stacked!

1. 

I took this log sample from Trend Micro CEF docs -

CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monit oring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\ \Windows\\SysWOW64\\rundll32.exe cn2Label=Event_Type cn2=4 c s1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\Curre ntVersion\\Run\\COM+ act=3 cn3Label=Operation cn3=302 shost= shost1 src=10.0.76.40 deviceFacility=Apex One

2.

I also followed miguel instractions about sibling decoders in this link

After i tried that and more of different attempts i tested it with wazuh-logtest  but failed like 100 times :(

this is just one example for what i tried:

<decoder name="cef_trend_micro">
    <program_name>CEF</program_name>
    <prematch>0\|Trend Micro\|</prematch>
</decoder>

<decoder name="cef_apex_central">
    <parent>cef_trend_micro</parent>
    <prematch>Trend Micro\|Apex Central\|</prematch>
    <regex>^0\|Trend Micro\|(\.+)\|(\d+)\|</regex>
    <order>application,version,type</order>
</decoder>

4.

Also i tried it on Regex101, it success there but not on wazuh, i mean i couldnt even save the new custom decoder i set so i guess i missing something(s)..

I'll appriciate any help..! 

if i missed any information that can assist please ask me 

Thanks :)

[Christian Borla]

Hi gulguly64
I hope you are doing fine! thanks for use Wazuh!

Analyzing the custom decoders that you use, I wonder if the example log is the correct, maybe it arrives with a syslog header, in that case the pre-decoder will capture the program_name field and that make sense use program_name as a filter in the custom decoder.
Did you find some Trend Micro events into Wazuh manager? to verify the correct log format please look for some events into /var/ossec/logs/archives/archives.json, if archives.json file doesn't exist, modify manager ossec.conf to include log all options as following configuration, restart the manager to enable it.

<ossec_config>
    <global>
        <alerts_log>yes</alerts_log>
        <logall>yes</logall>
        <logall_json>yes</logall_json>
    </global>

Maybe the log will looks as:

   Apr 7 13:15:07  user  CEF:0|Trend Micro|Apex Central|2019...

I suspect it because of how the decoder is made, otherwise, I did some changes in the custom decoders to match your example log.  

New custom decoder

<decoder name="cef_trend_micro">
    <prematch>CEF:0\|Trend Micro\|</prematch>

</decoder>

<decoder name="cef_apex_central">
    <parent>cef_trend_micro</parent>
    <prematch>Trend Micro\|Apex Central\|</prematch>

    <regex type="pcre2">CEF:0\|Trend Micro\|([^\|]+)\|(\d+)\|</regex>
    <order>application,version,type</order>
</decoder>


Then I run wazuh-logtest and the results are successfully:

/var/ossec/bin/wazuh-logtest
Type one log per line

CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monit oring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\ \Windows\\SysWOW64\\rundll32.exe cn2Label=Event_Type cn2=4 c s1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\Curre ntVersion\\Run\\COM+ act=3 cn3Label=Operation cn3=302 shost= shost1 src=10.0.76.40 deviceFacility=Apex One

**Phase 1: Completed pre-decoding.
    full event: 'CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monit oring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\ \Windows\\SysWOW64\\rundll32.exe cn2Label=Event_Type cn2=4 c s1Label=Target cs1=HKCU\\Software\\Microsoft\\Windows\\Curre ntVersion\\Run\\COM+ act=3 cn3Label=Operation cn3=302 shost= shost1 src=10.0.76.40 deviceFacility=Apex One'

**Phase 2: Completed decoding.
    name: 'cef_trend_micro'
    parent: 'cef_trend_micro'
    application: 'Apex Central'
    version: '2019'

Let me know if that works.
Regards.

[Gal Akavia]

Hi christian, first thanks it worked but backing to what you said about the syslog it is correct.

" it arrives with a syslog header, in that case the pre-decoder will capture the program_name field"

this is the beginning of the syslog format for this logs >>

04-12-2022    10:00:54    Local0.Notice    192.168.x.x    Apr 12 2022 10:00:53 central-edr.corp-x.domain CEF:0|Trend Micro|Apex Central|2019|Block|Intrusion Prevention|3|

<decoder name="cef_trend_micro">
    <prematch type="pcre2">CEF:0\|Trend Micro\|</prematch>

</decoder>

<decoder name="cef_apex_central">
    <parent>cef_trend_micro</parent>

    <regex type="pcre2">^(\w{3})\s+\d{1,2}\s+(\d+)\s+(\d+:\d+:\d+)\s+central-edr.corp-x.domain \s+CEF:0\|Trend Micro\|([^\|]+)\|(\d+)\|</regex>
    <order>time.month,time.day,time.hour,application,version</order>
</decoder>

The above decoder worked only for the next log line (without the begging, e.g without 04-12-2022    10:00:54    Local0.Notice    192.168.x.x  )  >>

after test all the log it didn't worked >>

Thanks in advance! really appriciate it :)

BTW

I didn't sending yet the logs from the syslog so didn't turn-on archives, will do after build all decoders & basic rules to start with..

[Christian Borla]

Hi gulguly64
I hope you are doing fine!

Include one or two headers depends on how the events are collected, sometimes it's possible modify it from the device that create the event, avoiding double header. I suggest to you use same events as archives.json (full_log section) arrives.

To make the event log match as it's, it will necessary dismiss start from beginning.
Remove ^ from regex beginning, in this case it's possible because the key word is Trend Micro, and it was validate in parent rule too.
The decoder looks like:

<decoder name="cef_apex_central">
    <parent>cef_trend_micro</parent>

    <regex type="pcre2">(\w{3})\s+\d{1,2}\s+(\d+)\s+(\d+:\d+:\d+)\s+central-edr\.corp-x\.domain\s+CEF:0\|Trend Micro\|([^\|]+)\|(\d+)\|</regex>
    <order>time.month,time.day,time.hour,application,version</order>
</decoder>

I think it's the best option, because it will works for both log version, with 1 and 2 headers, also it's possible create a middle decoder to process and discard first header, but it will fail if the log event arrives with one header.

PD: be careful, the regex had an extra space between ....central-edr\.corp-x\.domainSPACE\s+CEF:0\|Trend Micro\|....

Let me know if this information is useful to you!
Regards.

[Gal Akavia]

Removed ^  from regex beginning make it worked 2 headers.

Will continue from here, thank you a lot christian and also for the fast reply! :) 

[Christian Borla]

Hi gulguly64
Great! you are welcome!
Regards

[Gal Akavia]

Hi christian !

I want to update you that i successfully build all apex central decoders + basic rules to wazuh ! so happy!

thank you again :)

[Gal Akavia]

+ tested and working great.

בתאריך יום ה׳, 14 באפר׳ 2022, 16:35, מאת Gal Akavia ‏<gulg...@gmail.com>:

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6TwUUTJ4kT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cc6e025d-bd89-437f-9635-ccc1b44b65bcn%40googlegroups.com.

[Christian Borla]

Hi gulguly64
Good news!! you are welcome!
Regards