Wazuh Test Rules

[Miran Ul Haq]

Hi All,

I am new to WAZUH and would like to understand how test rule work.

Basically, I created a custom rule based on modification of existing rule. For example, I modified the rule to only alert me when a specific user takes RDP connection. Now, I want to test this via Command Line. 

What test log should I paste in Wazuh_logtest to triggert this alert?

Thanks.

[Julio Cesar Biset]

Hi Miran.

In principle, the only thing you would have to achieve is to have an example log of an RDP connection. Therefore, this can vary depending on the operating system. What operating system would you be monitoring these connections on? More than anything to generate an example log that you can pass to wazuh-logtest. Also, if you can show how the rule turned out, I can test it to give you a better answer with examples.
Also, in case it helps you, I leave a link to the associated documentation: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html#using-the-wazuh-dashboard-and-the-command -line-tool

I also leave you a related link to see the logs in Windows: https://woshub.com/rdp-connection-logs-forensics-windows/

Regards!

[Miran Ul Haq]

Hi Julio,

Thanks for reaching out.

So, to get a test/simulated log for testing, there should be an existing log in the first place?

Thanks for the reference document.

Regards,
Miran

[Julio Cesar Biset]

Hi Miran.

It does not necessarily have to exist, but if it is based on an existing one, the better because you will have exactly the correct format and syntax. It may even lead you to create better criteria in the rule.
However, if you obtain the format and syntax of the corresponding log from a reliable source, taking into account the operating system, it can also be very useful.
I consult with the team if they know or have any reference to this type of logs.

Regards!

[Miran Ul Haq]

Hi Julio,

I appreciate if you could share any reference or something. 

I have been attempting on test server for logs to be created which I may use for testing and so on.

Thanks.

[Julio Cesar Biset]

Hi Miran.

After consulting with the team, I confirmed that if the events you want to monitor come from Windows, these events are actually managed through the Windows eventchannel. However, this is not a direct process, since the events are in XML format. These events must be previously processed by the manager to convert them from XML to JSON, before continuing with the normal process.

I'm currently preparing a summary so you can mock and test the rule you want to implement. I'm assuming you're trying to monitor an RDP event on Windows, but it would be helpful if you could confirm this, as the approach may vary depending on the operating system. Also, if you could provide me with the rule you created, it would be a great help to check the rule, perform tests, and to include it in the summary I am preparing for you.

Regards!

[Miran Ul Haq]

Hi Julio,

I really appreciate your assistance. 
Basically, not only the RDP but I have a list of rules I am working on implementing and would want to test them as well as an evidence that these rules would work. 

• Multiple failed domain account login attempts using local login
• Multiple failed domain account login attempts using rdp login
• Successful Login using local administrator account
• Failed login using local administrator account
• Successful Login at Unusual Time
• Local User Creation
• Local User added in administrator group.

These are the rules I am working on.

Thanks much.

Regards,

[Julio Cesar Biset]

Hi Miran.

I'll give you a way that you can test your rules by generating a fake event through a script that a colleague made. (https://github.com/f-galland/wazuh-scripts/blob/main/fake_eventchannel.py)

1. First of all you need to have the XML event through the Windows Event Viewer. To access it, go to the menu, type event and access to the Event Viewer should appear. (1-event-view-menu.png)
2. Then you would have to make an RDP connection for the event to appear (in this case Event ID 4624) as seen in image 2-event-viewer-logon.png.
3. Having the event you will be able to copy it as text and save it in a file to use with the script to generate the log in alerts.log. (3-copy-event-as-text.png)
4. In order to generate the log in alerts.log you have to have both the event file and the script in the environment where you have the manager and execute it with python as shown in image 4-execute-script-fake-event.png.
5. If everything went well, if you check /var/ossec/logs/alerts/alerts.log you should have a log. (5-cat-alerts-log.png)
6. You can also use that log in /var/ossec/logs/alerts/alerts.log in the Ruleset Test to evaluate which rule matches. In this case 60106. (6-ruleset-test.png)

By repeating these steps you could try different events that are registered through the Windows eventchannel. I hope I have explained myself well. Anything don't hesitate to write.

Regards! 

[Miran Ul Haq]

Hi Julio,

Apologies for the delay as I was busy on a project. 
I really appreciate the script and all that you have provided. Will test it and let you know.

Thank you for all the assistance.

Regards,
Miran