Sysmon 11 not event
99 views
Skip to first unread message
Александр Glum
Sep 16, 2024, 4:40:50 AM9/16/24
to Wazuh | Mailing List
Good day!
How can I check if logs are coming in?
I have Sysmon, almost all events come in chrome, Sysmon 11 create file. For some reason, there are no events only for creating a file. Events on the endpoint occur and are displayed
Here is the decoder and rule
<rule id="61613" level="0">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^11$</field>
<description>Sysmon - Event 11: FileCreate by $(win.eventdata.image)</description>
<options>no_full_log</options>
<group>sysmon_event_11,</group>
</rule>
<!--
Event ID 11:
2017 Mar 30 15:09:02 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(11): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-KND6QGDH48O: File created: UtcTime: 2017-03-30 15:09:02.934 ProcessGuid: {FE5A418C-1C6B-58DD-0000-001023A40B00} ProcessId: 3064 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C: \Windows\System32\drivers\malware.txt CreationUtcTime: 2017-03-30 15:09:02.934 --> <decoder name="Sysmon-EventID#11"> <parent>windows</parent> <type>windows</type> <prematch>Microsoft-Windows-Sysmon/Operational: )</prematch>
<regex>Microsoft-Windows-Sysmon/Operational: \S+\((\d+)\)</regex> <order>id</order> </decoder> <decoder name="Sysmon-EventID#11"> <parent>windows</parent> <type>windows</type> <regex offset="after_regex">File created: (\.*)\s+UtcTime (\.*)\ s+ProcessGuid: (\.*)\s+ProcessId: (\.*)\s+Image: (\.*)\s+TargetFilename: (\.*)\s+CreationUtcTime: (\.*)</regex> <order>sysmon.filecreated, sysmon.utctime, sysmon.processguid, sysmon.processid, sysmon.image, sysmon.targetfilename, sysmon.creationutctime </order>
</decoder>
<decoder name="sysmon_event11">
<!-- Pre-filter by provider -->
<prematch>Microsoft-Windows-Sysmon</prematch>
<!-- First regular expression for EventID 11 -->
<regex>.*<EventID>(\d+)</EventID></regex>
<order>event_id</order>
<!-- Second regular expression for TargetFilename -->
<regex>.*<Data Name="TargetFilename">(.+?)</Data></regex>
<order>target_filename</order>
</decoder>
How can I check if logs are coming in?
I have Sysmon, almost all events come in chrome, Sysmon 11 create file. For some reason, there are no events only for creating a file. Events on the endpoint occur and are displayed
Here is the decoder and rule
<rule id="61613" level="0">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^11$</field>
<description>Sysmon - Event 11: FileCreate by $(win.eventdata.image)</description>
<options>no_full_log</options>
<group>sysmon_event_11,</group>
</rule>
<!--
Event ID 11:
2017 Mar 30 15:09:02 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(11): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-KND6QGDH48O: File created: UtcTime: 2017-03-30 15:09:02.934 ProcessGuid: {FE5A418C-1C6B-58DD-0000-001023A40B00} ProcessId: 3064 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C: \Windows\System32\drivers\malware.txt CreationUtcTime: 2017-03-30 15:09:02.934 --> <decoder name="Sysmon-EventID#11"> <parent>windows</parent> <type>windows</type> <prematch>Microsoft-Windows-Sysmon/Operational: )</prematch>
<regex>Microsoft-Windows-Sysmon/Operational: \S+\((\d+)\)</regex> <order>id</order> </decoder> <decoder name="Sysmon-EventID#11"> <parent>windows</parent> <type>windows</type> <regex offset="after_regex">File created: (\.*)\s+UtcTime (\.*)\ s+ProcessGuid: (\.*)\s+ProcessId: (\.*)\s+Image: (\.*)\s+TargetFilename: (\.*)\s+CreationUtcTime: (\.*)</regex> <order>sysmon.filecreated, sysmon.utctime, sysmon.processguid, sysmon.processid, sysmon.image, sysmon.targetfilename, sysmon.creationutctime </order>
</decoder>
<decoder name="sysmon_event11">
<!-- Pre-filter by provider -->
<prematch>Microsoft-Windows-Sysmon</prematch>
<!-- First regular expression for EventID 11 -->
<regex>.*<EventID>(\d+)</EventID></regex>
<order>event_id</order>
<!-- Second regular expression for TargetFilename -->
<regex>.*<Data Name="TargetFilename">(.+?)</Data></regex>
<order>target_filename</order>
</decoder>
Manuel Jose Cano Rojo
Sep 16, 2024, 5:24:32 AM9/16/24
to Wazuh | Mailing List
Hi Александр Glum!
Could you provide more context about your case, I don't fully understand it. Could you tell me what you want to achieve?
Let me know and I will try to help you as soon as possible!
Regards,
Manuel.
Could you provide more context about your case, I don't fully understand it. Could you tell me what you want to achieve?
Let me know and I will try to help you as soon as possible!
Regards,
Manuel.
Александр Glum
Sep 16, 2024, 5:29:24 AM9/16/24
to Wazuh | Mailing List
Hello,
Manuel.
I wrote a rule
<!-- Ransomware -->
<group name="windows,sysmon">
<rule id="280914" level="3">
<field name="win.eventdata.TargetFilename" type="pcre2">(?i)\.(encrypted|locked|crypt|enc|crypz|crypt12|vault|lock)$</field>
<description>Potential Ransomware: Mass file modification</description>
<group>ransomware, file_modification</group>
</rule>
</group>
I configured the sysmon configuration (sysmon event id 11 - file created ). The event with file creation is displayed on my endpoint.
But events with event id 11 in general do not come to Wazuh itself
Manuel.
I wrote a rule
<!-- Ransomware -->
<group name="windows,sysmon">
<rule id="280914" level="3">
<field name="win.eventdata.TargetFilename" type="pcre2">(?i)\.(encrypted|locked|crypt|enc|crypz|crypt12|vault|lock)$</field>
<description>Potential Ransomware: Mass file modification</description>
<group>ransomware, file_modification</group>
</rule>
</group>
I configured the sysmon configuration (sysmon event id 11 - file created ). The event with file creation is displayed on my endpoint.
But events with event id 11 in general do not come to Wazuh itself
понедельник, 16 сентября 2024 г. в 12:24:32 UTC+3, Manuel Jose Cano Rojo:
Александр Glum
Sep 16, 2024, 6:58:19 AM9/16/24
to Wazuh | Mailing List
Thank you. If anything I managed to figure it out. The main rule was 0, which was dependent on another rule and also with 0 - 61613
понедельник, 16 сентября 2024 г. в 13:42:14 UTC+3, Александр Glum:
Manuel Jose Cano Rojo
Sep 16, 2024, 7:06:33 AM9/16/24
to Wazuh | Mailing List
Hi Александр Glum!
As you mentioned, if the rule you are trying to get fired is wrapped in a 0-level rule both rules won't show up because of this 0-level severity.
I'm glad you solved it, let me know if you need anything else!
Regards,
Manuel.
As you mentioned, if the rule you are trying to get fired is wrapped in a 0-level rule both rules won't show up because of this 0-level severity.
I'm glad you solved it, let me know if you need anything else!
Regards,
Manuel.
Reply all
Reply to author
Forward
0 new messages