Rules working but unable to see them in alert index
134 views
Skip to first unread message
yaswanth ryali
Mar 18, 2025, 6:39:19 AM3/18/25
to Wazuh | Mailing List
Hi Team ,
I wrote rules for my defender alert logs to store if severity is low , medium , high , severe , informational . These rules are working fine while testing but unable to generate alert or unable to view them in my alert index or archival index . I did not wrote any custom decoders as wazuh have by default decoders to parse the defender alert log and i wrote a rule to generate a alert based on the severity .
My Rules : -
<rule id="100199" level="3">
<decoded_as>json</decoded_as>
<field name="severity">informational</field>
<description>Microsoft Defender ATP - Informational Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Low Severity -->
<rule id="100200" level="5">
<decoded_as>json</decoded_as>
<field name="severity">low</field>
<description>Microsoft Defender ATP - Low Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Medium Severity -->
<rule id="100201" level="8">
<decoded_as>json</decoded_as>
<field name="severity">medium</field>
<description>Microsoft Defender ATP - Medium Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for High Severity -->
<rule id="100202" level="10">
<decoded_as>json</decoded_as>
<field name="severity">high</field>
<description>Microsoft Defender ATP - High Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Critical Severity -->
<rule id="100203" level="12">
<decoded_as>json</decoded_as>
<field name="severity">critical</field>
<description>Microsoft Defender ATP - Critical Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
</group>
My Logs : -
High Severity alert : -
{"id":"dad4e81e3f-0690-4800-a184-a466765633a0_1","azureTenantId":"3515977f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"yasw...@gmail.com","category":"CredentialAccess","closedDateTime":"2025-03-08T11:58:28.2842613Z","comments":["The alert titled \"Mimikatz credential theft tool\" was triggered. Upon investigation, it was determined that the activity was performed by an internal user. Therefore, the alert has been closed."],"confidence":null,"createdDateTime":"2025-03-07T15:33:44.89Z","description":"The Mimikatz hacktool was detected on this device. Mimikatz is a credential theft tool that can harvest plaintext passwords, password hashes, smartcard PINs, and Kerberos tickets. An attacker might be trying to harvest credentials to log into this or other devices on the network, by impersonating a valid user.\n\nFor more information, read the Mimikatz tool profile Threat Analytics report: https://security.microsoft.com/threatanalytics3/51db19ab-081f-46f3-9fe1-3f5e5d2f8ee0/analystreport? and read the Actor profile: Storm-0875 Threat Analytics report https://security.microsoft.com/threatanalytics3/4f60801d-912e-4bcb-91b2-f46879c8a718/analystreport\n","detectionIds":[],"eventDateTime":"2025-03-07T15:31:56.1838516Z","feedback":"unknown","incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-08T11:58:28.2966667Z","recommendedActions":[],"severity":"high","sourceMaterials":["https://security.microsoft.com/alerts/dad4e81e3f-0690-4800-a184-a466765633a0_1","https://security.microsoft.com/incidents/241"],"status":"resolved","title":"Mimikatz credential theft tool","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"DA-ESS-ContentUpdate-latest.tar.gz","path":"C:\\Users\\SVignesh\\Downloads","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"1372a0294194808a453903f66643503edc45bc65"}}],"hostStates":[{"fqdn":"desktop-eb9qf8g","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"142.131.6.34","publicIpAddress":"112.13.91.116","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[{"applicationName":null,"destinationAddress":null,"destinationDomain":null,"destinationLocation":null,"destinationPort":null,"destinationUrl":"https://objects.githubusercontent.com/github-production-release-asset-2e65be/162346001/5dbb14d3-6df3-4dc5-8270-fdedfeebd1da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250307%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250307T153149Z&X-Amz-Expires=300&X-Amz-Signature=d3825f52c25b8cf09cf76cd053f03f63161116abf0308aa1cace4cc998b4f531&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDA-ESS-ContentUpdate-latest.tar.gz&response-content-type=application%2Foctet-stream","direction":null,"domainRegisteredDateTime":null,"localDnsName":null,"natDestinationAddress":null,"natDestinationPort":null,"natSourceAddress":null,"natSourcePort":null,"protocol":null,"riskScore":null,"sourceAddress":null,"sourceLocation":null,"sourcePort":null,"status":null,"urlParameters":null}],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Low Severity alert:-
{"id":"da66fc11d6-ada1-41b6-acbc-b451b22ee1a8_1","azureTenantId":"351877f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"API-Automated Investigation and Response","category":"Discovery","closedDateTime":"2025-03-09T14:20:51.6958573Z","comments":[],"confidence":null,"createdDateTime":"2025-03-09T02:49:52.11Z","description":"The machine has initiated connections to multiple machines on the network through the same set of ports. This might be an attempt to discover open ports for lateral movement.","detectionIds":[],"eventDateTime":"2025-03-09T02:48:01.7173376Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-09T14:20:51.88Z","recommendedActions":[],"severity":"low","sourceMaterials":["https://security.microsoft.com/alerts/da66fc11d6-ada1-41b6-acbc-b731b22ee1a8_1","https://security.microsoft.com/incidents/243"],"status":"resolved","title":"Horizontal port scan initiated","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"python.exe","path":"C:\\Users\\SVignesh\\AppData\\Local\\Programs\\Python\\Python312","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"6040dbb6943b65606244ace66c196842988b02c62"}}],"hostStates":[{"fqdn":"desktop-eb9qf8g","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"123.18.0.187","publicIpAddress":"194.15.01.41","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"1c4c27a3-e413-43be-9852-26b8902da2df","accountName":"SVignesh","domainName":"AzureAD","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"svi...@gmail.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Medium alert : -
{"id":"da8002881f-93d5-4a3b-b352-6f910ba10e27_1","azureTenantId":"3515977f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"lolis...@gmail.com","category":"Persistence","closedDateTime":"2025-03-08T11:40:16.80477Z","comments":["The alert titled \"Anomaly detected in ASEP registry\" was triggered. Upon investigation, it was determined that the activity was performed by an internal user. We reached out to the user and learned that they deleted the file. Therefore, the alert has been closed."],"confidence":null,"createdDateTime":"2025-03-04T06:31:09.63Z","description":"A process registered a suspicious command or file in ASEP registry key, where it will be run after a reboot.\nAn attacker may place a malicious piece of software in such a location to prevent losing access if a machine is turned off.","detectionIds":[],"eventDateTime":"2025-03-04T06:20:39.4121894Z","feedback":"unknown","incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-08T11:40:16.8233333Z","recommendedActions":[],"severity":"medium","sourceMaterials":["https://security.microsoft.com/alerts/da8002881f-93d5-4a3b-b352-6f910ba10e27_1","https://security.microsoft.com/incidents/233"],"status":"resolved","title":"Anomaly detected in ASEP registry","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[],"hostStates":[{"fqdn":"desktop-p3o45qe","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"154.163.0.115","publicIpAddress":"264.78.33.12","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"12f6e90c-3df2-41b4-8846-2b0c1798d4c0","accountName":"SaranVishva","domainName":"AzureAD","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"sa...@gmail.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Please test my rules and get back to me if any changes required. Please help me in solving this issue.
Thank you !!
I wrote rules for my defender alert logs to store if severity is low , medium , high , severe , informational . These rules are working fine while testing but unable to generate alert or unable to view them in my alert index or archival index . I did not wrote any custom decoders as wazuh have by default decoders to parse the defender alert log and i wrote a rule to generate a alert based on the severity .
My Rules : -
<group name="defender_alerts">
<!-- Rule for Informational Severity --><rule id="100199" level="3">
<decoded_as>json</decoded_as>
<field name="severity">informational</field>
<description>Microsoft Defender ATP - Informational Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Low Severity -->
<rule id="100200" level="5">
<decoded_as>json</decoded_as>
<field name="severity">low</field>
<description>Microsoft Defender ATP - Low Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Medium Severity -->
<rule id="100201" level="8">
<decoded_as>json</decoded_as>
<field name="severity">medium</field>
<description>Microsoft Defender ATP - Medium Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for High Severity -->
<rule id="100202" level="10">
<decoded_as>json</decoded_as>
<field name="severity">high</field>
<description>Microsoft Defender ATP - High Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
<!-- Rule for Critical Severity -->
<rule id="100203" level="12">
<decoded_as>json</decoded_as>
<field name="severity">critical</field>
<description>Microsoft Defender ATP - Critical Severity Alert</description>
<group>defender_alerts</group>
<group>security</group>
</rule>
</group>
My Logs : -
High Severity alert : -
{"id":"dad4e81e3f-0690-4800-a184-a466765633a0_1","azureTenantId":"3515977f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"yasw...@gmail.com","category":"CredentialAccess","closedDateTime":"2025-03-08T11:58:28.2842613Z","comments":["The alert titled \"Mimikatz credential theft tool\" was triggered. Upon investigation, it was determined that the activity was performed by an internal user. Therefore, the alert has been closed."],"confidence":null,"createdDateTime":"2025-03-07T15:33:44.89Z","description":"The Mimikatz hacktool was detected on this device. Mimikatz is a credential theft tool that can harvest plaintext passwords, password hashes, smartcard PINs, and Kerberos tickets. An attacker might be trying to harvest credentials to log into this or other devices on the network, by impersonating a valid user.\n\nFor more information, read the Mimikatz tool profile Threat Analytics report: https://security.microsoft.com/threatanalytics3/51db19ab-081f-46f3-9fe1-3f5e5d2f8ee0/analystreport? and read the Actor profile: Storm-0875 Threat Analytics report https://security.microsoft.com/threatanalytics3/4f60801d-912e-4bcb-91b2-f46879c8a718/analystreport\n","detectionIds":[],"eventDateTime":"2025-03-07T15:31:56.1838516Z","feedback":"unknown","incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-08T11:58:28.2966667Z","recommendedActions":[],"severity":"high","sourceMaterials":["https://security.microsoft.com/alerts/dad4e81e3f-0690-4800-a184-a466765633a0_1","https://security.microsoft.com/incidents/241"],"status":"resolved","title":"Mimikatz credential theft tool","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"DA-ESS-ContentUpdate-latest.tar.gz","path":"C:\\Users\\SVignesh\\Downloads","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"1372a0294194808a453903f66643503edc45bc65"}}],"hostStates":[{"fqdn":"desktop-eb9qf8g","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"142.131.6.34","publicIpAddress":"112.13.91.116","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[{"applicationName":null,"destinationAddress":null,"destinationDomain":null,"destinationLocation":null,"destinationPort":null,"destinationUrl":"https://objects.githubusercontent.com/github-production-release-asset-2e65be/162346001/5dbb14d3-6df3-4dc5-8270-fdedfeebd1da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250307%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250307T153149Z&X-Amz-Expires=300&X-Amz-Signature=d3825f52c25b8cf09cf76cd053f03f63161116abf0308aa1cace4cc998b4f531&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDA-ESS-ContentUpdate-latest.tar.gz&response-content-type=application%2Foctet-stream","direction":null,"domainRegisteredDateTime":null,"localDnsName":null,"natDestinationAddress":null,"natDestinationPort":null,"natSourceAddress":null,"natSourcePort":null,"protocol":null,"riskScore":null,"sourceAddress":null,"sourceLocation":null,"sourcePort":null,"status":null,"urlParameters":null}],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Low Severity alert:-
{"id":"da66fc11d6-ada1-41b6-acbc-b451b22ee1a8_1","azureTenantId":"351877f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"API-Automated Investigation and Response","category":"Discovery","closedDateTime":"2025-03-09T14:20:51.6958573Z","comments":[],"confidence":null,"createdDateTime":"2025-03-09T02:49:52.11Z","description":"The machine has initiated connections to multiple machines on the network through the same set of ports. This might be an attempt to discover open ports for lateral movement.","detectionIds":[],"eventDateTime":"2025-03-09T02:48:01.7173376Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-09T14:20:51.88Z","recommendedActions":[],"severity":"low","sourceMaterials":["https://security.microsoft.com/alerts/da66fc11d6-ada1-41b6-acbc-b731b22ee1a8_1","https://security.microsoft.com/incidents/243"],"status":"resolved","title":"Horizontal port scan initiated","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"python.exe","path":"C:\\Users\\SVignesh\\AppData\\Local\\Programs\\Python\\Python312","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"6040dbb6943b65606244ace66c196842988b02c62"}}],"hostStates":[{"fqdn":"desktop-eb9qf8g","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"123.18.0.187","publicIpAddress":"194.15.01.41","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"1c4c27a3-e413-43be-9852-26b8902da2df","accountName":"SVignesh","domainName":"AzureAD","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"svi...@gmail.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Medium alert : -
{"id":"da8002881f-93d5-4a3b-b352-6f910ba10e27_1","azureTenantId":"3515977f-218e-4dc6-9399-ea1e0fbc3fb0","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":"lolis...@gmail.com","category":"Persistence","closedDateTime":"2025-03-08T11:40:16.80477Z","comments":["The alert titled \"Anomaly detected in ASEP registry\" was triggered. Upon investigation, it was determined that the activity was performed by an internal user. We reached out to the user and learned that they deleted the file. Therefore, the alert has been closed."],"confidence":null,"createdDateTime":"2025-03-04T06:31:09.63Z","description":"A process registered a suspicious command or file in ASEP registry key, where it will be run after a reboot.\nAn attacker may place a malicious piece of software in such a location to prevent losing access if a machine is turned off.","detectionIds":[],"eventDateTime":"2025-03-04T06:20:39.4121894Z","feedback":"unknown","incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2025-03-08T11:40:16.8233333Z","recommendedActions":[],"severity":"medium","sourceMaterials":["https://security.microsoft.com/alerts/da8002881f-93d5-4a3b-b352-6f910ba10e27_1","https://security.microsoft.com/incidents/233"],"status":"resolved","title":"Anomaly detected in ASEP registry","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[],"hostStates":[{"fqdn":"desktop-p3o45qe","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows11","privateIpAddress":"154.163.0.115","publicIpAddress":"264.78.33.12","riskScore":"none"}],"historyStates":[],"investigationSecurityStates":[],"malwareStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"12f6e90c-3df2-41b4-8846-2b0c1798d4c0","accountName":"SaranVishva","domainName":"AzureAD","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"sa...@gmail.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}
Please test my rules and get back to me if any changes required. Please help me in solving this issue.
Thank you !!
Victor Carlos Erenu
Mar 21, 2025, 8:09:03 AM3/21/25
to Wazuh | Mailing List
Hello
yaswanth ryali
The alerts generated in alertts.json are those processed correctly by the rules you have configured, but those that appear in archives.json are all the raw alerts captured by the Wazuh agents. To view the data in the archives.json file, you must first enable log mode:
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-output-analysis.html#viewing-the-raw-logs
You can enable this mode and check if you are receiving the alerts. If they don't appear, you should check the configuration you have configured to have Wazuh capture these events from the agents.
Can you send me the output using wazuh-logtest for the alerts you are checking?
https://documentation.wazuh.com/current/development/wazuh-logtest.html
Also, the configuration you configured to capture these alerts from the agents.
The alerts generated in alertts.json are those processed correctly by the rules you have configured, but those that appear in archives.json are all the raw alerts captured by the Wazuh agents. To view the data in the archives.json file, you must first enable log mode:
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-output-analysis.html#viewing-the-raw-logs
You can enable this mode and check if you are receiving the alerts. If they don't appear, you should check the configuration you have configured to have Wazuh capture these events from the agents.
Can you send me the output using wazuh-logtest for the alerts you are checking?
https://documentation.wazuh.com/current/development/wazuh-logtest.html
Also, the configuration you configured to capture these alerts from the agents.
Reply all
Reply to author
Forward
0 new messages