I cannot exclude by rule the field "data.win.eventdata.image".
745 views
Skip to first unread message
gustavo rodriguez
Sep 28, 2023, 10:02:25 AM9/28/23
to Wazuh | Mailing List
Hello, how are you?
I want to exclude some events in wazuh, but I don't know how to exclude the "win.eventdata.image" field.
If I put the field as it is in the kibana dashboard the rule does not work, if I put for example with only one slash, it does not work either:
option1: C:\WINDOWServicing\TrustedInstaller.exe
option2: C:\\WINDOWS\\servicing\\TrustedInstaller.exe
<group name="windows, sysmon, sysmon_event1">
<rule id="100040" level="1">
<if_sid>92217</if_sid>
<field name="win.eventdata.image">^C:\\WINDOWS\\servicing\\TrustedInstaller.exe$</field>
<description>Falso positivo insight</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,</group>
</rule>
</group>
I want to exclude some events in wazuh, but I don't know how to exclude the "win.eventdata.image" field.
If I put the field as it is in the kibana dashboard the rule does not work, if I put for example with only one slash, it does not work either:
option1: C:\WINDOWServicing\TrustedInstaller.exe
option2: C:\\WINDOWS\\servicing\\TrustedInstaller.exe
<group name="windows, sysmon, sysmon_event1">
<rule id="100040" level="1">
<if_sid>92217</if_sid>
<field name="win.eventdata.image">^C:\\WINDOWS\\servicing\\TrustedInstaller.exe$</field>
<description>Falso positivo insight</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,</group>
</rule>
</group>
Stuti Gupta
Sep 29, 2023, 12:14:13 AM9/29/23
to Wazuh | Mailing List
Hi Gustavo
Hope you are doing well today and thank you for using wazuh.
Let me explain how rules and decoders work, First, the logs are generated by servers or devices and sent to the manager server. Then the logs are decoded by the default decoders that are present at the manager side /var/ossec/ruleset/decoders. If you get the logs but they don't match the default decoder, in that case, you have to make custom decoders. Once the log is decoded it will match to default rules that are present at the manager server/var/ossec/ruleset/rules/. If it doesn't match any of the rules or the rule level is less than 3 you won't get any alerts, in that case, you have to make rules on the basis of decoders and log at /var/ossec/etc/rule/local_rules.xml .
So, There are default rules and decoders if logs reach the manager but you don't get alters in that situation to need to create custom rules and decoders.
If you have a log and you want to test it you can run the log at/var/ossec/bin/wazuh-logtest and there you can see the decoders and rules for that particular log.
Now can you please be more specific about what you are looking for if you want this rule to be triggered the rule level must be 3 or more that that.
<group name="windows, sysmon, sysmon_event1">
<rule id="100040" level="1">
<if_sid>92217</if_sid>
<field name="win.eventdata.image"
negate="yes" >C:\\WINDOWS\\servicing\\TrustedInstaller.exe</field>
<description>Falso positivo insight</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,</group>
</rule>
If you want to ignore the field which have a specific path you can use
negate="yes"
<field name="win.eventdata.image" negate="yes" >C:\\WINDOWS\\servicing\\TrustedInstaller.exe</field>
Hope this will helps.
Regards,
Hope you are doing well today and thank you for using wazuh.
Let me explain how rules and decoders work, First, the logs are generated by servers or devices and sent to the manager server. Then the logs are decoded by the default decoders that are present at the manager side /var/ossec/ruleset/decoders. If you get the logs but they don't match the default decoder, in that case, you have to make custom decoders. Once the log is decoded it will match to default rules that are present at the manager server/var/ossec/ruleset/rules/. If it doesn't match any of the rules or the rule level is less than 3 you won't get any alerts, in that case, you have to make rules on the basis of decoders and log at /var/ossec/etc/rule/local_rules.xml .
So, There are default rules and decoders if logs reach the manager but you don't get alters in that situation to need to create custom rules and decoders.
If you have a log and you want to test it you can run the log at/var/ossec/bin/wazuh-logtest and there you can see the decoders and rules for that particular log.
Now can you please be more specific about what you are looking for if you want this rule to be triggered the rule level must be 3 or more that that.
<group name="windows, sysmon, sysmon_event1">
<rule id="100040" level="1">
<if_sid>92217</if_sid>
<description>Falso positivo insight</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,</group>
</rule>
<field name="win.eventdata.image" negate="yes" >C:\\WINDOWS\\servicing\\TrustedInstaller.exe</field>
Hope this will helps.
Regards,
gustavo rodriguez
Sep 29, 2023, 7:41:52 AM9/29/23
to Wazuh | Mailing List
Hello stuti, yes of course.
I want it not to register the events in this case when "win.eventdata.image" is C:\\WINDOWS\\servicing\\TrustedInstaller.exe , that's why I set the level to 1, so that the rule is not activated and does not register. But it still takes the default rule
using negate="yes", it would not register this event?
I await your comments
I want it not to register the events in this case when "win.eventdata.image" is C:\\WINDOWS\\servicing\\TrustedInstaller.exe , that's why I set the level to 1, so that the rule is not activated and does not register. But it still takes the default rule
using negate="yes", it would not register this event?
I await your comments
gustavo rodriguez
Oct 2, 2023, 8:04:46 AM10/2/23
to Wazuh | Mailing List
Can you please help me?
Stuti Gupta
Oct 2, 2023, 11:48:10 PM10/2/23
to Wazuh | Mailing List
Hi Gustavo,
Sorry for the late response,
Yes, you can use negate= yes as shown below so the rule 92217 won't triggered if the win.eventdata.image is C:\\WINDOWS\\servicing\\TrustedInstaller.exe> Make sure that you have to modify the default rule by adding the overwrite="yes" tag. Please paste the default rule at /var/ossec/etc/rules/local_rules.xml and then edit the rule.
<rule id="92217" level="6" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Windows\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|lnk|msi|vbe)$</field>
<field name="win.eventdata.image" negate="yes">C:\\WINDOWS\\servicing\\TrustedInstaller.exe</field>
<options>no_full_log</options>
<description>Executable dropped in Windows root folder</description>
<mitre>
<id>T1570</id>
</mitre>
</rule>
To know how to change the existing rule please follow: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
Hope this will help.
Regrads.
Sorry for the late response,
Yes, you can use negate= yes as shown below so the rule 92217 won't triggered if the win.eventdata.image is C:\\WINDOWS\\servicing\\TrustedInstaller.exe> Make sure that you have to modify the default rule by adding the overwrite="yes" tag. Please paste the default rule at /var/ossec/etc/rules/local_rules.xml and then edit the rule.
<rule id="92217" level="6" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Windows\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|lnk|msi|vbe)$</field>
<field name="win.eventdata.image" negate="yes">C:\\WINDOWS\\servicing\\TrustedInstaller.exe</field>
<description>Executable dropped in Windows root folder</description>
<mitre>
<id>T1570</id>
</mitre>
</rule>
To know how to change the existing rule please follow: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
Hope this will help.
Regrads.
Reply all
Reply to author
Forward
0 new messages