Wazuh - TrendMicro Logs
975 views
Skip to first unread message
Security One
Oct 5, 2022, 6:10:01 PM10/5/22
to Wazuh mailing list
Hello - New installation here. We are currently attempting to view TrendMicro Vision One (XDR) logs in Wazuh. We are sending them in CEF format as you can see below. We see the logs arriving based on the archives.log file. Where do we see these logs in the Wazuh dashboard itself? I'm assuming we need rules and decoders in order for them to see them somewhere? If so, can someone help with the rulesets? We see a few different logs in different formats.
2022 Oct 05 06:06:01 server01->10.10.10.10 Oct 4 23:06:01 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3008670|Microsoft Windows Security Events - 3|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1069.001: Security-enabled local group membership enumerated multiple times cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4799): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: Administrators Builtin S-1-5-32-544 S-1-5-18 server01$ DOM 0x3e7 0x5f74 C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe
2022 Oct 05 06:13:21 server01->10.10.10.10 Oct 4 23:13:21 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3011273|Microsoft Windows Firewall Events|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Firewall rule deleted cs1Label=LI Description fname=Application duser=(no user) shost=server01 msg=WinEvtLog: Application: INFORMATION(2006): ESE: (no user): no domain: server01.domain.com: Information Store - DOMC2016A (10344,G,0,15.01.2176.014) Shadow copy instance 16 completed successfully. For more information, click http://www.microsoft.com/contentredirect.asp.
2022 Oct 05 06:13:25 server01->10.10.10.10 Oct 4 23:13:25 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3003987|Microsoft Windows Security Events - 2|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1562.004: Windows Firewall exception list changed. Rule deleted cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4948): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: A change has been made to Windows Firewall exception list. A rule was deleted. Profile Changed: All Deleted Rule: Rule ID: {2CE3BC9B-F166-4EEA-8F82-AF8154A4B8F3} Rule Name: VeeamGuestHelper (In)
2022 Oct 05 06:21:11 server01->10.10.10.10 Oct 4 23:21:11 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3002795|Microsoft Windows Events|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Log file is cleared cs1Label=LI Description fname=System duser=SYSTEM shost=server01 msg=WinEvtLog: System: INFORMATION(104): Microsoft-Windows-Eventlog: SYSTEM: NT AUTHORITY: server01.domain.com: The Microsoft-Exchange-ManagedAvailability/ThrottlingConfig log file was cleared.
2022 Oct 05 06:50:06 server01->10.10.10.10 Oct 4 23:50:06 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3004057|Microsoft Windows Security Events - 1|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Security enabled local group changed cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4735): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: server01$ Account Domain: DOM Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
2022 Oct 05 06:50:06 server01->10.10.10.10 Oct 4 23:50:06 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3003987|Microsoft Windows Security Events - 2|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1562.004: Windows Firewall Group Policy settings have changed cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4954): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: Windows Firewall Group Policy settings has changed. The new settings have been applied
2022 Oct 05 06:13:21 server01->10.10.10.10 Oct 4 23:13:21 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3011273|Microsoft Windows Firewall Events|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Firewall rule deleted cs1Label=LI Description fname=Application duser=(no user) shost=server01 msg=WinEvtLog: Application: INFORMATION(2006): ESE: (no user): no domain: server01.domain.com: Information Store - DOMC2016A (10344,G,0,15.01.2176.014) Shadow copy instance 16 completed successfully. For more information, click http://www.microsoft.com/contentredirect.asp.
2022 Oct 05 06:13:25 server01->10.10.10.10 Oct 4 23:13:25 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3003987|Microsoft Windows Security Events - 2|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1562.004: Windows Firewall exception list changed. Rule deleted cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4948): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: A change has been made to Windows Firewall exception list. A rule was deleted. Profile Changed: All Deleted Rule: Rule ID: {2CE3BC9B-F166-4EEA-8F82-AF8154A4B8F3} Rule Name: VeeamGuestHelper (In)
2022 Oct 05 06:21:11 server01->10.10.10.10 Oct 4 23:21:11 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3002795|Microsoft Windows Events|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Log file is cleared cs1Label=LI Description fname=System duser=SYSTEM shost=server01 msg=WinEvtLog: System: INFORMATION(104): Microsoft-Windows-Eventlog: SYSTEM: NT AUTHORITY: server01.domain.com: The Microsoft-Exchange-ManagedAvailability/ThrottlingConfig log file was cleared.
2022 Oct 05 06:50:06 server01->10.10.10.10 Oct 4 23:50:06 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3004057|Microsoft Windows Security Events - 1|6|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=Security enabled local group changed cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4735): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: server01$ Account Domain: DOM Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
2022 Oct 05 06:50:06 server01->10.10.10.10 Oct 4 23:50:06 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3003987|Microsoft Windows Security Events - 2|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1562.004: Windows Firewall Group Policy settings have changed cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4954): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: Windows Firewall Group Policy settings has changed. The new settings have been applied
Facundo Dalmau
Oct 6, 2022, 9:25:47 AM10/6/22
to Wazuh mailing list
Hi! Thanks for using Wazuh!
As you mentioned, you need to create the corresponding decoders and rules in order to generate different alerts based on the logs.
The following documentation can help you:
- Custom rules and decodersAfter creating the decoders and rules for your use case, you can test them with the Wazuh-logtest tool which is described here:
- Wazuh Logtest
- Wazuh Logtest - Options
Basically, this tool can be fed with your logs and shows the process carried out by Wazuh and if they would generate an alert or not. It will show what fields would be decoded by decoders, which decoder would be used (if any), and what rule would be matched (if any).
- Wazuh Logtest - Options
Basically, this tool can be fed with your logs and shows the process carried out by Wazuh and if they would generate an alert or not. It will show what fields would be decoded by decoders, which decoder would be used (if any), and what rule would be matched (if any).
If you have any doubts, don't hesitate to ask.
Regards,
Facundo
Security One
Oct 6, 2022, 6:29:33 PM10/6/22
to Wazuh mailing list
Thanks. I was giving it a shot with this, but not seeming to match the decoder.
LOG
2022 Oct 05 06:06:01 server01->10.10.10.10 Oct 4 23:06:01 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3008670|Microsoft Windows Security Events - 3|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1069.001: Security-enabled local group membership enumerated multiple times cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4799): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: Administrators Builtin S-1-5-32-544 S-1-5-18 server01$ DOM 0x3e7 0x5f74 C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe
DECODER
<decoder name="cef_trend_micro">
<program_name>CEF</program_name>
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_deep_security_agent">
<program_name>CEF</program_name>
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Deep Security Agent\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
<prematch>Trend Micro\|Deep Security Agent\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
RESULT
**Messages: INFO: (7202): Session initialized with token 'a41e9ae7'
**Phase 1: Completed pre-decoding.
full event: '2022 Oct 05 06:06:01 server01->10.10.10.10 Oct 4 23:06:01 server01 CEF:0|Trend Micro|Deep Security Agent|20.0.0.4726|3008670|Microsoft Windows Security Events - 3|8|cn1=313 cn1Label=Host ID dvchost=server01.domain.com TrendMicroDsTenant=123456789010 TrendMicroDsTenantId=123456 cs1=ATTACK T1069.001: Security-enabled local group membership enumerated multiple times cs1Label=LI Description fname=Security duser=(no user) shost=server01 msg=WinEvtLog: Security: AUDIT_SUCCESS(4799): Microsoft-Windows-Security-Auditing: (no user): no domain: server01.domain.com: Administrators Builtin S-1-5-32-544 S-1-5-18 server01$ DOM 0x3e7 0x5f74 C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe'
timestamp: '2022 Oct 05 06:06:01'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '["syslog","errors"]'
firedtimes: '1'
gpg13: '["4.3"]'
mail: 'false'
Security One
Oct 6, 2022, 6:46:49 PM10/6/22
to Wazuh mailing list
Ok the following seems to be matching all the logs I put up on the post. Once the decoder is in place, will I be able to see the logs in Wazuh somewhere or do I still need rules?
<decoder name="cef_trend_micro">
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Deep Security Agent\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
<prematch>Trend Micro\|Deep Security Agent\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
Reply all
Reply to author
Forward
0 new messages