Sysmon Events Not Hitting
818 views
Skip to first unread message
Hisham Tariq
Apr 14, 2023, 4:06:04 AM4/14/23
to Wazuh mailing list
Hello, I am using the following version of Wazuhwazuh-agent: 4.3.6
wazuh-manager: 4.3.10
sysmon_schema_version: 4.83I have integrated Sysmon by using this blog https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/ but my logs are not appearing in Kibana. When I debug the archive.json I found the log mentioned below.
in the log, the decoder is hitting the windows_eventchannel but the relevant rule is not hitting. I need your help kindly enlighten me{
"timestamp": "2023-04-13T16:11:53.313+0500",
"agent": {
"id": "032",
"name": "Hisham",
"ip": "192.168.10.2"
},
"manager": {
"name": "threathawk"
},
"id": "1681384313.5412837",
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"22\",\"version\":\"5\",\"level\":\"4\",\"task\":\"22\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-04-13T11:11:51.0051796Z\",\"eventRecordID\":\"543785\",\"processID\":\"6556\",\"threadID\":\"9780\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"Hisham-MSI\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Dns query:\\r\\nRuleName: -\\r\\nUtcTime: 2023-04-13 11:11:55.066\\r\\nProcessGuid: {757e7321-9391-6437-da6a-010000000600}\\r\\nProcessId: 17600\\r\\nQueryName: forms-cdn.clickup.com\\r\\nQueryStatus: 9501\\r\\nQueryResults: -\\r\\nImage: C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\\r\\nUser: HISHAM-MSI\\\\Hisham\\\"\"},\"eventdata\":{\"utcTime\":\"2023-04-13 11:11:55.066\",\"processGuid\":\"{757e7321-9391-6437-da6a-010000000600}\",\"processId\":\"17600\",\"queryName\":\"forms-cdn.clickup.com\",\"queryStatus\":\"9501\",\"image\":\"C:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\",\"user\":\"HISHAM-MSI\\\\\\\\Hisham\"}}}",
"decoder": {
"name": "windows_eventchannel"
},
"data": {
"win": {
"system": {
"providerName": "Microsoft-Windows-Sysmon",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"eventID": "22",
"version": "5",
"level": "4",
"task": "22",
"opcode": "0",
"keywords": "0x8000000000000000",
"systemTime": "2023-04-13T11:11:51.0051796Z",
"eventRecordID": "543785",
"processID": "6556",
"threadID": "9780",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "Hisham-MSI",
"severityValue": "INFORMATION",
"message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2023-04-13 11:11:55.066\r\nProcessGuid: {757e7321-9391-6437-da6a-010000000600}\r\nProcessId: 17600\r\nQueryName: forms-cdn.clickup.com\r\nQueryStatus: 9501\r\nQueryResults: -\r\nImage: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\nUser: HISHAM-MSI\\Hisham\""
},
"eventdata": {
"utcTime": "2023-04-13 11:11:55.066",
"processGuid": "{757e7321-9391-6437-da6a-010000000600}",
"processId": "17600",
"queryName": "forms-cdn.clickup.com",
"queryStatus": "9501",
"image": "C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe",
"user": "HISHAM-MSI\\\\Hisham"
}
}
},
"location": "EventChannel"
}
===============================
<group name="sysmon,">
<rule id="255000" level="12"> <field name="win.eventdata.OriginalFileName">PowerShell.EXE</field>
<description>Sysmon - Event 1: Bad exe: $(win.eventdata.OriginalFileName)</description>
<group>sysmon_event1,powershell_execution,</group>
</rule> <rule id="255001" level="8">
<field name="win.system.eventID">22</field>
<description>Sysmon - Event 22: DNS Query to: $(win.eventdata.queryName) by $(win.eventdata.user)</description>
<group>sysmon_event_22,</group>
</rule>
</group>
==============================
wazuh-manager: 4.3.10
sysmon_schema_version: 4.83I have integrated Sysmon by using this blog https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/ but my logs are not appearing in Kibana. When I debug the archive.json I found the log mentioned below.
in the log, the decoder is hitting the windows_eventchannel but the relevant rule is not hitting. I need your help kindly enlighten me{
"timestamp": "2023-04-13T16:11:53.313+0500",
"agent": {
"id": "032",
"name": "Hisham",
"ip": "192.168.10.2"
},
"manager": {
"name": "threathawk"
},
"id": "1681384313.5412837",
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"22\",\"version\":\"5\",\"level\":\"4\",\"task\":\"22\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-04-13T11:11:51.0051796Z\",\"eventRecordID\":\"543785\",\"processID\":\"6556\",\"threadID\":\"9780\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"Hisham-MSI\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Dns query:\\r\\nRuleName: -\\r\\nUtcTime: 2023-04-13 11:11:55.066\\r\\nProcessGuid: {757e7321-9391-6437-da6a-010000000600}\\r\\nProcessId: 17600\\r\\nQueryName: forms-cdn.clickup.com\\r\\nQueryStatus: 9501\\r\\nQueryResults: -\\r\\nImage: C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\\r\\nUser: HISHAM-MSI\\\\Hisham\\\"\"},\"eventdata\":{\"utcTime\":\"2023-04-13 11:11:55.066\",\"processGuid\":\"{757e7321-9391-6437-da6a-010000000600}\",\"processId\":\"17600\",\"queryName\":\"forms-cdn.clickup.com\",\"queryStatus\":\"9501\",\"image\":\"C:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\",\"user\":\"HISHAM-MSI\\\\\\\\Hisham\"}}}",
"decoder": {
"name": "windows_eventchannel"
},
"data": {
"win": {
"system": {
"providerName": "Microsoft-Windows-Sysmon",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"eventID": "22",
"version": "5",
"level": "4",
"task": "22",
"opcode": "0",
"keywords": "0x8000000000000000",
"systemTime": "2023-04-13T11:11:51.0051796Z",
"eventRecordID": "543785",
"processID": "6556",
"threadID": "9780",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "Hisham-MSI",
"severityValue": "INFORMATION",
"message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2023-04-13 11:11:55.066\r\nProcessGuid: {757e7321-9391-6437-da6a-010000000600}\r\nProcessId: 17600\r\nQueryName: forms-cdn.clickup.com\r\nQueryStatus: 9501\r\nQueryResults: -\r\nImage: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\nUser: HISHAM-MSI\\Hisham\""
},
"eventdata": {
"utcTime": "2023-04-13 11:11:55.066",
"processGuid": "{757e7321-9391-6437-da6a-010000000600}",
"processId": "17600",
"queryName": "forms-cdn.clickup.com",
"queryStatus": "9501",
"image": "C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe",
"user": "HISHAM-MSI\\\\Hisham"
}
}
},
"location": "EventChannel"
}
===============================
<group name="sysmon,">
<rule id="255000" level="12"> <field name="win.eventdata.OriginalFileName">PowerShell.EXE</field>
<description>Sysmon - Event 1: Bad exe: $(win.eventdata.OriginalFileName)</description>
<group>sysmon_event1,powershell_execution,</group>
</rule> <rule id="255001" level="8">
<field name="win.system.eventID">22</field>
<description>Sysmon - Event 22: DNS Query to: $(win.eventdata.queryName) by $(win.eventdata.user)</description>
<group>sysmon_event_22,</group>
</rule>
</group>
==============================
victor....@wazuh.com
Apr 17, 2023, 6:41:16 AM4/17/23
to Wazuh mailing list
Hello Hishman,
If we take a look at the provided event we can see that it corresponds to a DNS Query event. This event would trigger the 61650 rule. However, this alert has a level 0, so it will not be logged by the manager. For this reason, you can not see it in the dashboard or stored in the alert.log file. Check this documentation page about alert threshold: https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html.
Logtest could be a great tool for testing your ruleset in this case. Windows event logs are not supported by the logtest tool. However, you can work around this issue by changing the base Windows rule 60000. In the rule file 0575-win-base_rules.xml, change the rule id 60000, removing the category tag and changing the decoded_as tag value for json.
It should look like this:
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Now, using the logtest tool with your gathered event (stored in the full_log field) we can see even the level 0 alert triggered by your alert:
**Phase 3: Completed filtering (rules).
id: '61650'
level: '0'
description: 'Sysmon - Event 22: DNS Query event'
groups: '['windows', 'sysmon', 'sysmon_event_22']'
firedtimes: '1'
mail: 'False'
Regarding your rules, you should integrate them with the default Wazuh ruleset. In this case, if you want to overwrite the 61650 rule you can follow this approach:
<group name="sysmon_event1,">
<rule id="255001" level="8">
<description>Sysmon - Event 22: DNS Query to: $(win.eventdata.queryName) by $(win.eventdata.user)</description>
<group>sysmon_event_22,</group>
</rule>
</group>
We have added the if_sid option, so, this rule will match when rule 61650 is triggered.
Using the logtest we can see that our custom rule is triggering correctly:
**Phase 3: Completed filtering (rules).
id: '255001'
level: '8'
description: 'Sysmon - Event 22: DNS Query to: forms-cdn.clickup.com by HISHAM-MSI\\Hisham'
groups: '['sysmon_event1', 'sysmon_event_22']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Remember to reset the Windows-base rule to the default in order to trigger real Windows events in the production environment.
If you have any doubts do not hesitate to ask.
Reply all
Reply to author
Forward
0 new messages