Failed attempt to perform a privileged operation from one of the agents.
S K
60107
T1078
Md. Nazmur Sakib
Hi S K,
Hope you are doing well. Thank you for using Wazuh.
This is a known issue for Google Chrome. It appears that these alerts are likely false positives originating from Chrome.
Check this document:
As a response, we have two available options: either filter these alerts or choose to ignore them.
Follow one of these in order to troubleshoot this issue:
Filter that case using an eventchannel query.
If you're receiving a large volume of alerts, which could strain your system resources, it might be best to filter these alerts using a query in your Windows agent configuration. You can make this adjustment in the Windows agent ossec.conf file (or use Centralized configuration if you want to apply this change in all your Windows endpoints). Here's an example of what the query might look like:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>*[System[(EventID=4673)]]
*[EventData[Data[@Name='PrivilegeList'] and (Data='SeProfileSingleProcessPrivilege')]]
and *[EventData[Data[@Name='ProcessName
'] and (Data ='C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe')]]\
</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
Please use this query cautiously, as it has not been thoroughly tested in a live environment.
More information about eventchannel queries can be found in Monitoring specific events from Windows event channel documentation.
Ignore the rule for that case:
Create a custom rule to ignore this case. Something like the following should do the job:
<rule id="100005" level="0">
<if_sid>60107</if_sid> <!-- The name of the parent rule -->
<field name="win.eventdata.processName">C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</field>
<description>Custom rule used with Chrome.</description>
</rule>
Let me if this solves your issue or if you need any further help.
Regards
Md. Nazmur Sakib
S K
Md. Nazmur Sakib
Hi S K,
Hope you are doing well. Sorry for the late response.
This is just a template to give you the idea. Configure it based on your need.
Check the document for reference:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Regards
Md. Nazmur Sakib
S K
wazuh-srv:~# systemctl restart wazuh-manager.service
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
wazuh-srv:~# journalctl --unit wazuh-manager --follow
Dec 21 15:20:16 dc-wazuh-01 systemd[1]: Failed to start Wazuh manager.
Dec 21 15:20:16 wazuh-srv systemd[1]: wazuh-manager.service: Consumed 2.484s CPU time.
Dec 21 15:22:04 wazuh-srv systemd[1]: Starting Wazuh manager...
Dec 21 15:22:07 wazuh-srv env[3756516]: 2023/12/21 15:22:07 wazuh-analysisd: ERROR: rules_op: Invalid root element "rule".Only "group" is allowed
Dec 21 15:22:07 wazuh-srv env[3756516]: 2023/12/21 15:22:07 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml '.
Dec 21 15:22:07 wazuh-srv env[3756491]: wazuh-analysisd: Configuration error. Exiting
Dec 21 15:22:07 wazuh-srv systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Dec 21 15:22:07 wazuh-srv systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Dec 21 15:22:07 wazuh-srv systemd[1]: Failed to start Wazuh manager.
Dec 21 15:22:07 wazuh-srv systemd[1]: wazuh-manager.service: Consumed 2.285s CPU time.