Event 8215 seems to be ignored

[Retro Is Best]

Hi there,

I've installed the Wazuh agent (4.4.4-1) on my Windows Server 2019

I can events from my application event channel BUT it seems to be ignore event 8215 which is a FSRM "Not permitted" event .

Below is the xml of an example event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>
  <Provider Name="SRMSVC" />
  <EventID Qualifiers="32772">8215</EventID>
  <Level>3</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2023-06-21T08:11:07.144104900Z" />
  <EventRecordID>40328</EventRecordID>
  <Channel>Application</Channel>
  <Computer>xxx.xxx.xxx</Computer>
  <Security />
  </System>
- <EventData>
  <Data>User NT AUTHORITY\SYSTEM attempted to save C:\ProgramData\Sophos\AutoUpdate\Cache\installed\sed64\Config\BehavioralRules\amsi_uac.dec to C:\ on the xxx server. This file is in the "Group5" file group, which is not permitted on the server.</Data>
  <Data>C:\</Data>
  <Data>"Group5"</Data>
  <Data>C:\ProgramData\Sophos\AutoUpdate\Cache\installed\sed64\Config\BehavioralRules\amsi_uac.dec</Data>
  <Data>5044</Data>
  <Data>C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe</Data>
  <Data>NT AUTHORITY\SYSTEM</Data>
  <Data />
  </EventData>
  </Event>

I would like to monitor these events with Wazuh

Thanks!

[Javier Medeot]

Hi Retro.

To alert about the event id 8215, you need to monitor the Application channel and also alert about this event. While Wazuh default ruleset includes some rules to alert about events in this channel, you need to create one rule to alert about this specific event.

To configure monitoring of the Windows event log, you need to make sure to include the following settings within your Windows agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf.

<ossec_config>
  ...

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

  ...

</ossec_config>

Restart the Wazuh agent to apply this changes. For the details on enabling Windows events monitoring check Wazuh documentation at https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html

Now you can create a rule for this event as follows

<group name="FSRM,">

  ...

  <rule id="100121" level="5">
    <if_sid>60601</if_sid>
    <field name="win.system.providerName">^SRMSVC$</field>
    <field name="win.system.eventID">^8215$</field>
    <options>no_full_log</options>
    <description>FSRM "Not permitted" event.</description>
  </rule>

  ...

</group>

This rule triggers on Application channel events with severity Warning provided by the FSRM with event.id 8215 specifically. The rule 60601 is a grouping rule for all Windows application warning event from which this rule is inheriting. Alternatively, you could use default rule 60600 and 60602 for informational and error severities. Your custom rule must be set in /var/ossec/etc/rules/local_rules.xml in the Wazuh server

If your event is not classified according to a severity level, rather than using the above mentioned rules as the parent, your custom level must be based in rule 60003 instead.which is the grouping rule for all the Application events.  Please check Wazuh documentation on how to create custom rules and how to replace existing ones here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Please tell me if this is what you need and any issues concerning this you might have. Thank you

Javier

[Javier Medeot]

EDIT: Sorry I copy-pasted the wrong config. You need to make sure you have enabled

<localfile> <location>Application</location> <log_format>eventchannel</log_format> </localfile>

[Retro Is Best]

Good morning Javier,

Just wanted to say thankyou for your well explained reply.

Your reply worked very well and allowed me to create more rules based from other events.

Thankyou again!