Hello,
Add <location>Microsoft-Windows-Sysmon/Operational</location>, so rule looks like:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
<query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])</query>
</localfile>
No errors, but now I don’t receive all sysmon event 3 logs, not only DestinationIp='127.0.0.1'
Looks like Wazuh don’t understand part after EventID=3
Tried and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])
Tried and (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])
With same result.
Thanks for your help.Hello,
Your rule:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID = 3]</query>
</localfile>
do nothing, for suppressing all EventID = 3 you must change <query> part to:
<query>Event/System[EventID != 3]</query>
With lack of documentation, I’m tried a lot of different variants and this looks like the best.
But problems begin when you need to specify not all EventID = 3 but EventID = 3 + IP (127.0.0.1)
Ofc you can silence this event using rule with level = 0, but I don’t need to store hundreds of billions of events on server (One PC with Kubernetes generate ~1000-2000 events per 10 sec)
May be there is some solution how to ignore all events from Programs\\\\Lens\\\\Lens.exe if this possible.
Original massage added:
{"true":1713256214.809649,"timestamp":"2024-04-16T08:30:14.794+0000","rule":{"level":3,"description":"Sysmon - Event 3: Network connection to 127.0.0.1:65503 by C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","id":"61605","firedtimes":39125,"mail":false,"groups":["windows","sysmon","sysmon_event3"]},"agent":{"id":"013","name":"sb159","ip":"10.14.2.26","labels":{"customer":"zaritskyi"}},"manager":{"name":"wazuhserver"},"id":"1713256214.2278996538","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-16T08:30:13.5386528Z","eventRecordID":"798566980","processID":"5204","threadID":"5432","channel":"Microsoft-Windows-Sysmon/Operational","computer":"","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: -\r\nUtcTime: 2024-04-16 08:30:15.770\r\nProcessGuid: {c3656c19-cd33-661c-7424-00000000b101}\r\nProcessId: 7772\r\nImage: C:\\Users\\ \\AppData\\Local\\Programs\\Lens\\Lens.exe\r\nUser: IT\\ \r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 127.0.0.1\r\nSourceHostname: sb159.it.ua\r\nSourcePort: 58475\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 127.0.0.1\r\nDestinationHostname: sb159.it.ua\r\nDestinationPort: 65503\r\nDestinationPortName: -\""},"eventdata":{"utcTime":"2024-04-16 08:30:15.770","processGuid":"{c3656c19-cd33-661c-7424-00000000b101}","processId":"7772","image":"C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","user":"","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"127.0.0.1","sourceHostname":"","sourcePort":"58475","destinationIsIpv6":"false","destinationIp":"127.0.0.1","destinationHostname":"","destinationPort":"65503"}}},"location":"EventChannel"}