Rule to detect Windows defender is disabled

[mcarn...@nextel.es]

Hello,

I'm new using Wazuh. After many search over the topic, I finally found that by default Windows Defender events are not reporter from agents to the manager. I changed the agent configuration to be aware of Windows Defender Events and now I'm able to see the alerts generated by the default rules included with wazuh related to Windows Defender, I mean, rules 83001 and 83002.

I have written a rule in my local_rules.xml to trigger a alarm if Windows Defender is disabled. The rule is:

<group name="risk,">

  <rule id="100004" level="12">

    <if_sid>83000</if_sid>

    <match>disabled</match>

    <description>Windows Defender: It has been disabled</description>

  </rule>

</group>

After restarting the wazuh-manager the rule is not being triggered and I don't know why.

Any idea?

Thanks in advance!

Manuel Carnerero

[Jesus Linares]

Hi Manuel,

Please, enable the log_all setting in order to see every event coming to the manager, and share here the full_log. In this way, we can help you with the decoders and rules.

Thanks,