How to get USB connected/disconnected logs from Active Directory
158 views
Skip to first unread message
Areeba Ali
Oct 21, 2022, 1:27:31 PM10/21/22
to Wazuh mailing list
Hi.
I hope you are all well, I have a question in regards to the capability of Monitoring Windows Active Directory. I am using Wazuh v4.1
I want to get USB event logs (location in Event viewer: Microsoft-Windows-DriverFrameworks-UserMode/Operational with Event ID 2003 and 2102) on the systems that are integrated with Active Directory.
Wazuh agent is installed on Active Directory machine and not on individual systems. I want to generate alert every time someone, whose laptop is joined with AD, attach or detach USB flash drive.
Pacome Kemkeu
Oct 22, 2022, 1:31:27 PM10/22/22
to Wazuh mailing list
You can configure the Wazuh agent on your AD server to capture the Windows Eventlog.
If the USB events of your laptop are populated on the event viewer of your AD server, the Wazuh agent will be able to pull them.
You can achieve it by adding the following block in your ossec.conf file :
<localfile>
You can achieve it by adding the following block in your ossec.conf file :
<localfile>
<location>Microsoft-Windows-DriverFrameworks-UserMode/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Find here a list of available channels and providers that can be monitored.
Also, I would recommend you to check this blog post that shows how you can generate alerts when a USB storage device is connected to a Windows system that is being monitored by Wazuh and here a sample rule and configuration that goes with it.
I hope this helps you!
Find here a list of available channels and providers that can be monitored.
Also, I would recommend you to check this blog post that shows how you can generate alerts when a USB storage device is connected to a Windows system that is being monitored by Wazuh and here a sample rule and configuration that goes with it.
I hope this helps you!
Areeba Ali
Oct 24, 2022, 2:16:15 AM10/24/22
to Pacome Kemkeu, Wazuh mailing list
Thankyou for your reply. Kindly clear my confusion. Are the rules and decoders already integrated in wazuh or I would have to write decoders and rules for the same?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Lq9Zy_nrY0w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6cf8468f-3f3a-407b-a3e0-f0d6ab0900ean%40googlegroups.com.
Pacome Kemkeu
Oct 24, 2022, 2:41:45 AM10/24/22
to Areeba Ali, Wazuh mailing list
There are decoders for windows eventing already. You'll have to create your own rules only. Kindly check the links I provided in the previous mail to have an overview on how to create rules.
Reply all
Reply to author
Forward
0 new messages