wazuh decoder for task scheduler

[Fabio Miotti]

i have windows server 2019 and i need to capture task scheduler windows that has this log:

i would like to receive the alerts for severityValue: critical,warning,error

not information.

i ave tried to follow this link but for me it doesn't work. it sends alerts also for other things,not omly for task scheduler

https://groups.google.com/g/wazuh/c/4m0WR7FVwfA

thanks for your help

2023 Mar 02 08:15:50 (Thor) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{de7b24ea-73c8-4a09-985d-5bdadcfa9017}","eventID":"201","version":"2","level":"4","task":"201","opcode":"2","keywords":"0x8000000000000000","systemTime":"2023-03-02T08:15:49.434795100Z","eventRecordID":"135229","processID":"1380","threadID":"6124","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Thor.zardo.local","severityValue":"INFORMATION","message":"\"Task Scheduler successfully completed task \"\\Importa Dati Modelli Colata Da SAP\" , instance \"{285854af-62d9-4219-a74e-e82f41ce6781}\" , action \"C:\\PROGELTA_SAP\\COLATA\\Import_From_Sap\\ProgeltaMySQLAM.exe\" with return code 0.\""},"eventdata":{"taskName":"\\\\Importa Dati Modelli Colata Da SAP","taskInstanceId":"{285854af-62d9-4219-a74e-e82f41ce6781}","actionName":"C:\\\\PROGELTA_SAP\\\\COLATA\\\\Import_From_Sap\\\\ProgeltaMySQLAM.exe","resultCode":"0","enginePID":"1496"}}}

[Héctor Gómez]

Regards @Fabio

Thank you for using wazuh!
I am going to simulate the rule to bring the events and help you solve your doubt. Thanks for waiting again.

[Héctor Gómez]

Could you please provide the current rule you have to filter the events?

[Tomas Giordano]

Hello Fabio, how are you?

To achieve what you want, you must create a set of rules rather than decoders.
This is due that decoders for windows TaskScheduler events already exists and is named "event_channel".
A parent rule that catches (but does not log) every TaskScheduler event by it's own event-channel. And then child-rules that filters out every severity level you want to catch.
These child rules must log the filtered events to wazuh dashboard, so level for each of them must be 3 or higher.
Let's figure this out:
In order to filter TaskScheduler events by severity levels "Warning, Error and Critical" you must first create a rule to catch all the TaskScheduler events.
You may create a rule that looks like this one below:
It's adviceable to set level on 0 for this parent Rule, otherwise every TaskScheduler event will be logged onto Wazuh Dashboard

<rule id="606302" level="0">
  <if_group>windows</if_group>
  <field name="win.system.channel">^Microsoft-Windows-TaskScheduler/Operational$</field>
  <options>no_full_log</options>
  <description>Group of Windows rules for the Task Scheduler Operational channel</description>
</rule>

Then, you may create child rules in order to catch events by severity.
Remember to set level to 3 to get these filtered events on your wazuh dashboard:

<rule id="77770" level="3">
  <if_sid>60601</if_sid>
  <field name="win.system.severityValue">^WARNING$</field>
  <options>no_full_log</options>
  <description>Task Scheduler Warning event</description>
</rule>

<rule id="77771" level="3">
  <if_sid>60602</if_sid>
  <field name="win.system.severityValue">^ERROR$</field>
  <options>no_full_log</options>
  <description>Task Scheduler Error event</description>
</rule>

You can see more about rules on the Wazuh Documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
And especifically about windows logs collection:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html

Hope this helps!

[Fabio Miotti]

Hi Tomas-Hector

i'm not expert

following Tomas, i have configured these 3 rules in local_rules but i'm receiving the email for all severityvalue WARNING-ERROR for application, not only for task scheduler.

can you help me please

<rule id="606302" level="0">
  <if_group>windows</if_group>
  <field name="win.system.channel">^Microsoft-Windows-TaskScheduler/Operational$</field>
  <options>no_full_log</options>
  <description>Group of Windows rules for the Task Scheduler Operational channel</description>
</rule>

<rule id="77770" level="3">
  <if_sid>60601</if_sid>
  <field name="win.system.severityValue">^WARNING$</field>
  <options>no_full_log</options>
  <description>Task Scheduler Warning event</description>
</rule>

<rule id="77771" level="3">
  <if_sid>60602</if_sid>
  <field name="win.system.severityValue">^ERROR$</field>
  <options>no_full_log</options>
  <description>Task Scheduler Error event</description>
</rule>

<rule id="606302" level="0">
  <if_group>windows</if_group>
  <field name="win.system.channel">^Microsoft-Windows-TaskScheduler/Operational$</field>
  <options>no_full_log</options>
  <description>Group of Windows rules for the Task Scheduler Operational channel</description>
</rule>

in fact, from wazuh-logtest it doesn't find the rule correctly:

2023 Mar 09 18:55:02 (Thor) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{de7b24ea-73c8-4a09-985d-5bdadcfa9017}","eventID":"322","version":"0","level":"3","task":"322","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-03-09T18:55:01.112040100Z","eventRecordID":"144932","processID":"1380","threadID":"8120","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Thor.zardo.local","severityValue":"WARNING","message":"\"Task Scheduler did not launch task \\\Importa Dati Modelli Colata Da SAP (2)\  because instance \"{bc59f08f-6151-4e98-ac49-82ab1e4e59e4}\"  of the same task is already running.\""},"eventdata":{"taskName":\\\\Importa Dati Modelli Colata Da SAP (2),"taskInstanceId":"{bc59f08f-6151-4e98-ac49-82ab1e4e59e4}"}}}

[Fabio Miotti]

Hi

the logs about task scheduler are not under Application, under microsoft-windows-taskscheduler-operational

can you help me please?

thanks