All Application Launching, Crashing and Stopping logs

91 views
Skip to first unread message

Wazuh Emailer

unread,
Apr 12, 2024, 1:07:45 AM4/12/24
to Wazuh | Mailing List
Hi,

I am currently have a requirement where I would like to monitor which applications (like atleast PID) are starting, stopping or even crashing on the Wazuh Dashboard. Is this possible? How can I achieve this?

Thanks and Regards
John

Wazuh Emailer

unread,
Apr 12, 2024, 5:30:18 AM4/12/24
to Wazuh | Mailing List
Update:
I have activated the Group Policy (PFB) for getting events with ID 4688 and 4689 for Process Creation and Process Termination respectively.
I am able to see the logs in archives.json when I enabled <logall_json> and used "| grep 4688".
However I am unable to see the logs on the dashboard. How do I view the said event logs on Wazuh?
Also is there anyway I can get a log saying that an application crashed?

GPO.png

Warm Regards
John


Gonzalo Membrillo Solbes

unread,
Apr 18, 2024, 9:15:10 AM4/18/24
to Wazuh | Mailing List
Hello John,

In that case, we will need to make a new Windows rule that triggers off of those event IDs, since they aren't being monitored by default. In your case, you will most likely need to make something like this:
<rule id="100100" level="4">
    <if_group>windows</if_group>
    <field name="win.system.eventID">^4688$|^4689$</field>
    <description>A process has been created or crashed</description>
    <options>no_full_log</options>
</rule>

Keep in mind this might not work right off the bat since we don't know which rules these event would trigger. I'd require the events taken from the archives.json file to correctly decipher them. For more information on rule creation, you can check out our documentation on this topic:

I hope you find this helpful. Feel free to let us know if you need anything else.

Regards,
Gonzalo

Wazuh Emailer

unread,
Apr 22, 2024, 1:01:43 AM4/22/24
to Gonzalo Membrillo Solbes, Wazuh | Mailing List
Hi,

This is what I found while grepping for the Event ID 4688.

{"timestamp":"2024-04-22T04:52:09.365+0000","agent":{"id":"005","name":"PCNAMEHERE","ip":"192.168.25.230"},"manager":{"name":"wazuh"},"id":"1713761529.4724618","cluster":{"name":"main","node":"server"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4688\",\"version\":\"2\",\"level\":\"0\",\"task\":\"13312\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-04-22T04:52:03.8193703Z\",\"eventRecordID\":\"446683\",\"processID\":\"4\",\"threadID\":\"24508\",\"channel\":\"Security\",\"computer\":\"PCNAMEHERE\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-3332965464-3090906830-1853760760-1001\\r\\n\\tAccount Name:\\t\\tJohn\\r\\n\\tAccount Domain:\\t\\tPCNAMEHERE\\r\\n\\tLogon ID:\\t\\t0x1285F74\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x3b10\\r\\n\\tNew Process Name:\\tC:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\r\\n\\tToken Elevation Type:\\t%%1938\\r\\n\\tMandatory Label:\\t\\tS-1-16-4096\\r\\n\\tCreator Process ID:\\t0x3d3c\\r\\n\\tCreator Process Name:\\tC:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-21-3332965464-3090906830-1853760760-1001\",\"subjectUserName\":\"John\",\"subjectDomainName\":\"PCNAMEHERE\",\"subjectLogonId\":\"0x1285f74\",\"newProcessId\":\"0x3b10\",\"newProcessName\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\",\"tokenElevationType\":\"%%1938\",\"processId\":\"0x3d3c\",\"targetUserSid\":\"S-1-0-0\",\"targetLogonId\":\"0x0\",\"parentProcessName\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\",\"mandatoryLabel\":\"S-1-16-4096\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4688","version":"2","level":"0","task":"13312","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-04-22T04:52:03.8193703Z","eventRecordID":"446683","processID":"4","threadID":"24508","channel":"Security","computer":"PCNAMEHERE","severityValue":"AUDIT_SUCCESS","message":"\"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-3332965464-3090906830-1853760760-1001\r\n\tAccount Name:\t\tJohn\r\n\tAccount Domain:\t\tPCNAMEHERE \r\n\tLogon ID:\t\t0x1285F74\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x3b10\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\n\tToken Elevation Type:\t%%1938\r\n\tMandatory Label:\t\tS-1-16-4096\r\n\tCreator Process ID:\t0x3d3c\r\n\tCreator Process Name:\tC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\""},"eventdata":{"subjectUserSid":"S-1-5-21-3332965464-3090906830-1853760760-1001","subjectUserName":"John","subjectDomainName":"PCNAMEHERE","subjectLogonId":"0x1285f74","newProcessId":"0x3b10","newProcessName":"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe","tokenElevationType":"%%1938","processId":"0x3d3c","targetUserSid":"S-1-0-0","targetLogonId":"0x0","parentProcessName":"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe","mandatoryLabel":"S-1-16-4096"}}},"location":"EventChannel"}


I'm unable to figure out how to bring this to the Wazuh dashboard.


Thanks and Regards,

John


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/USscXZq4_Hc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/07ff9df8-3513-4008-804c-7bfd41cfe3a8n%40googlegroups.com.

Wazuh Emailer

unread,
Apr 22, 2024, 1:10:43 AM4/22/24
to Gonzalo Membrillo Solbes, Wazuh | Mailing List
Hi Gonzalo,

Similarly, this is for Event ID 4689 from archives.json. I have taken two sample events.

{"timestamp":"2024-04-22T05:01:35.468+0000","agent":{"id":"005","name":"ITPL-XLR8","ip":"192.168.0.20"},"manager":{"name":"wazuh"},"id":"1713762095.4766397","cluster":{"name":"main","node":"server"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4689\",\"version\":\"0\",\"level\":\"0\",\"task\":\"13313\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-04-22T05:01:29.0377669Z\",\"eventRecordID\":\"446786\",\"processID\":\"4\",\"threadID\":\"9896\",\"channel\":\"Security\",\"computer\":\"PCNAMEHERE\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A process has exited.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-3332965464-3090906830-1853760760-1001\\r\\n\\tAccount Name:\\t\\tJohn\\r\\n\\tAccount Domain:\\t\\tPCNAMEHERE\\r\\n\\tLogon ID:\\t\\t0x1285F74\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t0x5e3c\\r\\n\\tProcess Name:\\tC:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\\r\\n\\tExit Status:\\t0x1\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-21-3332965464-3090906830-1853760760-1001\",\"subjectUserName\":\"John\",\"subjectDomainName\":\"PCNAMEHERE\",\"subjectLogonId\":\"0x1285f74\",\"status\":\"0x1\",\"processId\":\"0x5e3c\",\"processName\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backgroundTaskHost.exe\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4689","version":"0","level":"0","task":"13313","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-04-22T05:01:29.0377669Z","eventRecordID":"446786","processID":"4","threadID":"9896","channel":"Security","computer":"PCNAMEHERE","severityValue":"AUDIT_SUCCESS","message":"\"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3332965464-3090906830-1853760760-1001\r\n\tAccount Name:\t\tJohn\r\n\tAccount Domain:\t\tPCNAMEHERE\r\n\tLogon ID:\t\t0x1285F74\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x5e3c\r\n\tProcess Name:\tC:\\Windows\\System32\\backgroundTaskHost.exe\r\n\tExit Status:\t0x1\""},"eventdata":{"subjectUserSid":"S-1-5-21-3332965464-3090906830-1853760760-1001","subjectUserName":"John","subjectDomainName":"PCNAMEHERE","subjectLogonId":"0x1285f74","status":"0x1","processId":"0x5e3c","processName":"C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe"}}},"location":"EventChannel"}

{"timestamp":"2024-04-22T05:01:46.458+0000","agent":{"id":"005","name":"STRNTM-05","ip":"192.168.0.20"},"manager":{"name":"wazuh"},"id":"1713762106.4766397","cluster":{"name":"main","node":"server"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4689\",\"version\":\"0\",\"level\":\"0\",\"task\":\"13313\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-04-22T05:01:40.0521121Z\",\"eventRecordID\":\"446787\",\"processID\":\"4\",\"threadID\":\"4436\",\"channel\":\"Security\",\"computer\":\"PCNAMEHERE\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A process has exited.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-3332965464-3090906830-1853760760-1001\\r\\n\\tAccount Name:\\t\\tJohn\\r\\n\\tAccount Domain:\\t\\tPCNAMEHERE\\r\\n\\tLogon ID:\\t\\t0x1285F74\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t0x4a4c\\r\\n\\tProcess Name:\\tC:\\\\Program Files\\\\Seqrite\\\\Seqrite\\\\APCTSCN.EXE\\r\\n\\tExit Status:\\t0x1\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-21-3332965464-3090906830-1853760760-1001\",\"subjectUserName\":\"John\",\"subjectDomainName\":\"PCNAMEHERE\",\"subjectLogonId\":\"0x1285f74\",\"status\":\"0x1\",\"processId\":\"0x4a4c\",\"processName\":\"C:\\\\\\\\Program Files\\\\\\\\Seqrite\\\\\\\\Seqrite\\\\\\\\APCTSCN.EXE\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4689","version":"0","level":"0","task":"13313","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-04-22T05:01:40.0521121Z","eventRecordID":"446787","processID":"4","threadID":"4436","channel":"Security","computer":"PCNAMEHERE","severityValue":"AUDIT_SUCCESS","message":"\"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3332965464-3090906830-1853760760-1001\r\n\tAccount Name:\t\tJohn\r\n\tAccount Domain:\t\tPCNAMEHERE\r\n\tLogon ID:\t\t0x1285F74\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x4a4c\r\n\tProcess Name:\tC:\\Program Files\\Seqrite\\Seqrite\\APCTSCN.EXE\r\n\tExit Status:\t0x1\""},"eventdata":{"subjectUserSid":"S-1-5-21-3332965464-3090906830-1853760760-1001","subjectUserName":"John","subjectDomainName":"PCNAMEHERE","subjectLogonId":"0x1285f74","status":"0x1","processId":"0x4a4c","processName":"C:\\\\Program Files\\\\Seqrite\\\\Seqrite\\\\APCTSCN.EXE"}}},"location":"EventChannel"}


Much thanks and Regards
John

Wazuh Emailer

unread,
Apr 22, 2024, 1:31:43 AM4/22/24
to Gonzalo Membrillo Solbes, Wazuh | Mailing List
Hi,

I would like to update that the events are showing as logs on the dashboard.
Is it possible to show the process name on the description and make it look more informative (like any suggestions you have I mean)?

Also, is there any event ID in Windows that says a process has ended abnormally or crashed? I am unable to find this too and would like to incorporate the same.

Much thanks and regards,
John


Gonzalo Membrillo Solbes

unread,
Apr 22, 2024, 5:07:58 AM4/22/24
to Wazuh | Mailing List
Hello again,

Just asking for confirmation regarding this. Did the event start showing up to the dashboard after adding the rule I shared above?
If so, you can modify the description to include the process that was created like so:
<rule id="100100" level="4">
    <if_group>windows</if_group>
    <field name="win.system.eventID">^4688$</field>
    <description>The following process has been created: $(win.eventdata.newProcessName)</description>
    <options>no_full_log</options>
</rule>
<rule id="100101" level="4">
    <if_group>windows</if_group>
    <field name="win.system.eventID">^4689$</field>
    <description>The following process has exited: $(win.eventdata.processName)</description>
    <options>no_full_log</options>
</rule>

Note that we've had to separate the rule into 2 since the field that stores the process name for the required events is different.

Regards,
Gonzalo

Wazuh Emailer

unread,
Apr 25, 2024, 12:36:32 AM4/25/24
to Wazuh | Mailing List
Hi Gonzalo,

Thanks for the help!
It's perfect.

Warm regards,
John

Gonzalo Membrillo Solbes

unread,
Apr 30, 2024, 2:34:20 AM4/30/24
to Wazuh | Mailing List
Hello John,

I'm glad I was able to help!
Feel free to get in contact with us again should you require anything else.

Regards,
Gonzalo
Reply all
Reply to author
Forward
0 new messages