FIM Reg 2 question
80 views
Skip to first unread message
Dmitry Mikheev
Jan 22, 2025, 2:13:35 AM1/22/25
to Wazuh | Mailing List
That's how the montoring is described
C:\Program Files (x86)\ossec-agent\ossec.conf
--
<windows_registry check_mtime="no" arch="both">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mdaapp\System\Services\Email\Test</windows_registry>
--
test - a parameter of type string
when changing a parameter I get an email
Wazuh Notification.
2025 Jan 15 14:57:56
Received From: (Srv2) any->syscheck
Rule: 160411 fired (level 11) -> "Reg.Value Changed HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mdaapp\System\Services\EMail"
Portion of the log(s):
Registry Value '[x64] HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mdaapp\System\Services\EMail\Test' modified
Mode: scheduled
Changed attributes: size,md5,sha1,sha256
Size changed from '13' to '14'
---
1. The controlled value contains the string parameter Test.
Why is it missing from the $(file) variable?
Is it in some other variable? I couldn't find it :(
2. I see the server name in the letter. In which variable is it? $(name) $(agent.name) don't match
Why is it missing from the $(file) variable?
Is it in some other variable? I couldn't find it :(
2. I see the server name in the letter. In which variable is it? $(name) $(agent.name) don't match
Md. Nazmur Sakib
Jan 22, 2025, 6:43:43 AM1/22/25
to Wazuh | Mailing List
Hi Dmitry,
The server name is
Received From: (Srv2) any->syscheck
In the mail alert, Syscheck.path(file) is not included
Ref: https://wazuh.com/blog/how-to-send-email-notifications-with-wazuh/
To understand your issue better can you share the custom rule 160411, that you have created?
Creating custom FIM rules
Also, share the output of this command.
cat /var/ossec/logs/alerts/alerts.json | grep 160411
Looking forward to your update on the issue.
Dmitry Mikheev
Jan 24, 2025, 3:58:20 AM1/24/25
to Wazuh | Mailing List
<rule id="160411" level="11">
<if_sid>160410</if_sid><field name="file" type="pcre2">^.*mdaapp.*</field>
<description>Reg.Value Changed $(agent.name) $(file)</description>
</rule>
<rule id="160413" level="12">
<if_sid>160411</if_sid>
<field name="value_name" type="pcre2">^.*test.*</field>
<description>TEST Reg.Value Changed $(agent.name) $(file)</description>
</rule>
{"timestamp":"2025-01-15T14:57:56.835+0200","rule":{"level":11,"description":"Reg.Value Changed HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail","id":"160411","firedtimes":1,"mail":true,"groups":["windows","syscheck","syscheck_entry_modified","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"Srv2,"ip":"192.168.4.6"},"manager":{"name":"Wazuh04"},"id":"1736945876.666465440","full_log":"Registry Value '[x64] HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail\\Test' modified\nMode: scheduled\nChanged attributes: size,md5,sha1,sha256\nSize changed from '13' to '14'\nOld md5sum was: 'bb48ae75145fed61855055ead3c233ea'\nNew md5sum is : '1799b47eb38383e9f821b0dc96f068d9'\nOld sha1sum was: 'fe1846f1c0253c8e7680c91cdd768cd5843cc05d'\nNew sha1sum is : 'c6c5cbafd5725fb90ff57d8e3fb12aa4be904e3f'\nOld sha256sum was: 'ddf5fa80c6fa2fb5c96a98e1066eb5189ef446d707b4918050e684e7301112e6'\nNew sha256sum is : 'a220f4ba0c1ec603862e169f2dcbac0dba52b8ef48942a5037cbd85a8187d43f'\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail","mode":"scheduled","arch":"[x64]","value_name":"Test","value_type":"REG_SZ","size_before":"13","size_after":"14","md5_before":"bb48ae75145fed61855055ead3c233ea","md5_after":"1799b47eb38383e9f821b0dc96f068d9","sha1_before":"fe1846f1c0253c8e7680c91cdd768cd5843cc05d","sha1_after":"c6c5cbafd5725fb90ff57d8e3fb12aa4be904e3f","sha256_before":"ddf5fa80c6fa2fb5c96a98e1066eb5189ef446d707b4918050e684e7301112e6","sha256_after":"a220f4ba0c1ec603862e169f2dcbac0dba52b8ef48942a5037cbd85a8187d43f","changed_attributes":["size","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_registry_value_modified"},"location":"syscheck"}
{"timestamp":"2025-01-15T14:57:56.837+0200","rule":{"level":11,"description":"Reg.Value Changed HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail","id":"160411","firedtimes":2,"mail":true,"groups":["windows","syscheck","syscheck_entry_modified","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"Srv2,"ip":"192.168.4.6"},"manager":{"name":"Wazuh04"},"id":"1736945876.666466681","full_log":"Registry Value '[x32] HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail\\Test' modified\nMode: scheduled\nChanged attributes: size,md5,sha1,sha256\nSize changed from '13' to '14'\nOld md5sum was: 'bb48ae75145fed61855055ead3c233ea'\nNew md5sum is : '1799b47eb38383e9f821b0dc96f068d9'\nOld sha1sum was: 'fe1846f1c0253c8e7680c91cdd768cd5843cc05d'\nNew sha1sum is : 'c6c5cbafd5725fb90ff57d8e3fb12aa4be904e3f'\nOld sha256sum was: 'ddf5fa80c6fa2fb5c96a98e1066eb5189ef446d707b4918050e684e7301112e6'\nNew sha256sum is : 'a220f4ba0c1ec603862e169f2dcbac0dba52b8ef48942a5037cbd85a8187d43f'\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\mdaapp\\System\\Services\\EMail","mode":"scheduled","arch":"[x32]","value_name":"Test","value_type":"REG_SZ","size_before":"13","size_after":"14","md5_before":"bb48ae75145fed61855055ead3c233ea","md5_after":"1799b47eb38383e9f821b0dc96f068d9","sha1_before":"fe1846f1c0253c8e7680c91cdd768cd5843cc05d","sha1_after":"c6c5cbafd5725fb90ff57d8e3fb12aa4be904e3f","sha256_before":"ddf5fa80c6fa2fb5c96a98e1066eb5189ef446d707b4918050e684e7301112e6","sha256_after":"a220f4ba0c1ec603862e169f2dcbac0dba52b8ef48942a5037cbd85a8187d43f","changed_attributes":["size","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_registry_value_modified"},"location":"syscheck"}
Dmitry Mikheev
Jan 28, 2025, 7:40:04 AM1/28/25
to Wazuh | Mailing List
Any ideas?
Md. Nazmur Sakib
Mar 3, 2025, 6:52:31 AM3/3/25
to Wazuh | Mailing List
To reflect agent.name in the rule description, you need to use hostname
<rule id="160411" level="11">
<if_sid>160410</if_sid>
<field name="file" type="pcre2">^.*mdaapp.*</field>
<description>Reg.Value Changed $(hostname) $(file)</description>
</rule>
<rule id="160413" level="12">
<if_sid>160411</if_sid>
<field name="value_name" type="pcre2">^.*test.*</field>
<description>TEST Reg.Value Changed $(hostname) $(file)</description>
</rule>
Let me know if this works for you.
Reply all
Reply to author
Forward
0 new messages