Event 4688 and subsequent events

[Tom Powers]

Hello!!

SO we are tracking Event 4688 process creations, and here's out isse.

Scenario:

Process1.exe fires up and spawns cmd.exe with a command line of 'cmd.exe /c powershell.exe "some posh command"'

So we see in Wazuh the win.eventdata.ParentProcessName of Process1.exe fire off the win.eventdata.newProcessName of cmd.exe...all good there.

We can build our rule off that as it is all good and rank of 0.... BUT  there is a subsequent event 46888 that has the parentProcessName of cmd.exe and the newProcessname of Powershell.exe and a commandline of "some posh command".  

It is plain to see that these are the same records of the original event...so how to I tell Wazuh that this second event is really the same as the first or came from the first event?

All insight is appreciated!!

[Alfonso Ruiz-Bravo]

Hi Thomas,

Unfortunately, right now Wazuh does not have this correlation of alerts or events that you need.

To somehow solve your problem I propose you to create a rule that inherits from the problematic rule and silences it, here is an example:

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-ignoring-files-via-rules

If this does not solve it, you can also overwrite the problematic rule to avoid the false positive: (see overwrite setting)

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=overwrite

I hope this information will help you to alleviate your problem.

Best regards,

Alfonso Ruiz-Bravo