Sysmon message received but not displayed

[HA]

Hi all,

I installed Wazuh (4.3.4) in docker mode.

On the agent, I installed sysmon to catch event (DNS query, etc).

In the event viewer of the workstation, I can sysmon event.

On the GUI (agent stats), the number of Microsoft-Windows-Sysmon/Operational is increasing but I can't see them in the Security Events...

What's the problem ??

Regards,

HA

 

[Juan Nicolás Asselle]

Hi HA,

The fact that collection statistics are increasing for that particular agent and event channel gives us the clue that the problem seems to be on the Wazuh Manager side, specifically the default Sysmon ruleset rules and their alert level.
As you can see in Sysmon rules file almost all rules have level="0" to avoid alert flooding for every Wazuh user, and allow to enable them only those that might need them.
You can create child custom rules (with some of 0595-win-sysmon_rules.xml as parent rule) that match your DNS query specific criteria and with a higher level in order to create a proper alert. For example, to match EventID 22 (Sysmon DNSEvent), you can create a custom rule using if_sid with rule 6000 and filtering the eventid

<rule id="100001" level="5">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^22$</field>
    <description>Sysmon - Event 22: DNS Query</description>
</rule>

Hope this helps!
Regards,
Nico

​