Filtering by EventID and Keyword in Windows Wazuh agent side

[Francesc G]

Hello,

I want to audit unsuccessful attempts to access directories and files. This is achieved by auditing event 4656 but it is filtered out by default in Windows Wazuh agent:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event[System/EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157 and EventID != 4656]</query>
  </localfile>

Removing  "and EventID != 4656" simply generates a lot of audit success events in Wazuh that I don't want to deal with. I would like to receive the events with ID 4656 and audit failure which leads me to filter by Event ID plus Keyword field. 

Keyword 0x8020000000000000 corresponds to audit success 

And Keyword 0x8010000000000000 corresponds to audit failure

I tried the following query but the I don't get any Security event:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157 and (EventID != 4656 and Keywords != '0x8020000000000000')]</query>
  </localfile>

I also tried with Keyword in decimal as follows. Then I get Security events but none with Event ID 4656 :

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157 and (EventID != 4656 and Keywords != '9007199254740992')]</query>
  </localfile>

Any ideas on how to filter negatively on EventID and Keywords in the Wazuh agent side?

Best regards.

[Mohamed El Amine Gaoudi]

Hi there,

Currently, your XPath query logic unintentionally excludes all Event ID 4656 events, including the failure ones, because of this condition:

(EventID != 4656 and Keywords != '0x8020000000000000')

I tested the Windows event you provided and could not trigger any default alert besides the parent rule for Windows events, as shown below. Are you using any custom rules to trigger these alerts? If so, could you please share your custom rules or the IDs of the alerts you are currently seeing on your dashboard?

I’d like to replicate this issue locally to provide you with the best approach tailored to your needs.

Regards!

[Francesc G]

Hi,

Finally I achieved to get it working using QueryList:

    <localfile>
      <location>Security</location>
      <log_format>eventchannel</log_format>
      <query>

            \<QueryList\>
                \<Query Id="0" Path="Security"\>
                    \<Select Path="Security"\>*[System[band(Keywords,4503599627370496) and (EventID=4656)]]\</Select\>
                    \<Select Path="Security"\>*[System[(EventID!=5145 and EventID!=5156 and EventID!=5447 and EventID!=4658 and
                        EventID!=4663 and EventID!=4660 and EventID!=4670 and EventID!=4690 and EventID!=4703 and
                        EventID!=4907 and EventID!=5152 and EventID!=5157 and EventID!=4656)]]\</Select\>
                \</Query\>
            \</QueryList\>
        </query>
    </localfile>

Best regards