Hi Everyone,
I'm trying to add a negative lookahead to Rule ID 92650 in 0840-win_event_channel.xml to filter out some known-good events, but I'm not having luck getting the rule to not trigger.
The default 92650 rule is...
<rule id="92650" level="12">
<if_sid>61138</if_sid>
<field name="win.eventdata.imagePath">^%systemroot%\\\\\w+\.exe$</field>
<options>no_full_log</options>
<description>New Windows Service Created to start from windows root path. Suspicious event as the binary may have been dropped using Windows Admin Shares.</description>
<mitre>
<id>T1021.002</id>
<id>T1569.002</id>
</mitre>
</rule>
The environment that I'm monitoring uses a Cisco ISE-PIC integration in its firewall to identify what user is currently logged in on windows endpoints. ISE-PIC drops an exe that matches Rule 92650's pattern. It drops "%SystemRoot%\\ise-exec-svc.exe"
To try to stop the rule from triggering, I've updated the regex to include this Negative Lookahead...
^((?!%SystemRoot%\\\\ise-exec-svc\.exe)%systemroot%\\\\\w+\.exe)$
... but it's still triggering.
So, I guess I have a couple of questions...
1 - Any idea why that regex isn't working the way I expect it to? I did some quick testing using regex101. The "\w+" token there doesn't seem to match Wazuh's regex engine exactly (and the valid characters noted on the Wazuh Documentation for the syntax) so I changed that to "[a-zA-Z0-9_@-]+" and it matched without the negative lookahead and then didn't match with it.
2 - I'm new to Wazuh - is there a better way to accomplish the exclusion/exception that I'm trying to create?
Thanks,
Colin Edwards
CISSP, GDSA, GCIH, GMON, GCWN