Too many garbage logs for object access
296 views
Skip to first unread message
Mark Rafa
Jan 22, 2021, 10:09:20 AM1/22/21
to Wazuh mailing list
Hi,
I have configured file access monitoring on Wazuh.
I need to monitor 2 directories . I followed every instructions step by step on https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/ , however when I trigger the 4663 event ID rules(access to object), I receive lots of identical logs.
Wazuh receives logs from event channel, but is there a way to filter or reduce the number of logs.
When I click the directory and get in the folder I get lots of identical
mark accessed //path folder.
logs.
It may be related with subdirectory numbers. If it is so, how can i prevent this occurring.
Also path.desktop ini logs are received too many when I click once.
My rule:
<var name="CriticalFolders">D:\\\\path|D:\\\\path</var>
<group name="windows, windows_security,">
<rule id="100111" level="0">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">$CriticalFolders</field>
<description>Object access information into critical folders</description>
<options>no_full_log</options>
</rule>
<rule id="100112" level="3">
<if_sid>100111</if_sid>
<description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder.</description>
<options>no_full_log</options>
</rule>
</group>
Regards,
José Fernández
Feb 1, 2021, 6:22:28 AM2/1/21
to Wazuh mailing list
Hello,
I could reproduce your problem and, I saw that any performed action to the selected/critical folder launch lots of alerts 4663. This effect is due to the Windows monitoring and reporting process.
To avoid alert spamming, we could take various actions:
Take into account that any of these options could result in the loss of specific events that may you want to know like multiple accesses to the same folder in the given interval or monitor the subfolders.
I hope it helps you, don't hesitate to ask us if you have any doubts.
I could reproduce your problem and, I saw that any performed action to the selected/critical folder launch lots of alerts 4663. This effect is due to the Windows monitoring and reporting process.
To avoid alert spamming, we could take various actions:
- Add ignore modifier to the rule, this will trigger the alert only once in the specified timeframe (for example 2 seconds)
```
<rule id="100112" level="10" ignore="2">
<if_sid>100111</if_sid>
<description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder.</description>
<options>no_full_log</options>
</rule>
- ```
- Modify folder monitorization, if you set the audit policy to monitor all actions performed into the folder, subfolders and files will spam lots of access granted/denied. The way to limit the alert number is to specify auditing for specific folders or files. See the attached image.
Take into account that any of these options could result in the loss of specific events that may you want to know like multiple accesses to the same folder in the given interval or monitor the subfolders.
I hope it helps you, don't hesitate to ask us if you have any doubts.
Reply all
Reply to author
Forward
0 new messages