Active Directory log collecting & vulnerability assessment problems

[Franck Ehret]

Hi there,

I've the following extra configuration for all my domain controllers group:

<agent_config>
    <!-- Shared agent configuration here -->
    <!-- Collect Defender events -->
    <localfile>
        <location>Microsoft-Windows-Windows Defender/Operational</location>
        <log_format>eventchannel</log_format>
    </localfile>
    <!--  Collect Active Directory events -->
    <localfile>
        <location>Active Directory Web Services</location>
        <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
        <location>DFS Replication</location>
        <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
        <location>Directory Service</location>
        <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
        <location>DNS Server</location>
        <log_format>eventchannel</log_format>
    </localfile>
    <!--  System inventory with hotfixes for vulnerabilities report -->
    <wodle name="sysCollector">
        <disabled>no</disabled>
        <interval>1h</interval>
        <scan_on_start>yes</scan_on_start>
        <hardware>yes</hardware>
        <os>yes</os>
        <network>yes</network>
        <packages>yes</packages>
        <hotfixes>yes</hotfixes>
        <ports all="no">yes</ports>
        <processes>yes</processes>
        <!-- Database synchronization settings -->
        <synchronization>
            <max_eps>10</max_eps>
        </synchronization>
    </wodle>
</agent_config>

The thing is : except Windows Defender events, none of the rest is collected in Wazuh. And syntax is correct as all of these have a space by default (in the case a space would be the issue):

Also, the part of the vulnerability assessment doesn't seems to work on all my servers (2016/2019 & 2022). I have the impression it's really collecting vulnerabilities whenever "it wants". Sometimes I get some, but I can't correlate it with a reboot or anything:

Any tips for me? Thanks in advance! ;-)

[Gustavo Choquevilca]

Hi, I hope you have a good day!

Give me a little time to research your question!

[Franck Ehret]

Hi Gustavo,

Yes for sure!

PS: it's Windows 2022 core domain controllers, but I don't think it makes a difference: those logs entries were always named the same in previous versions.

[Gustavo Choquevilca]

It is correct that currently you can only see windows defender since it is one of the channels and providers available on wazuh. You can check the supported providers in this link.

For this reason you can not see the others.

[Gustavo Choquevilca]

I suggest you add these lines that I don't see in the image you shared!

 <localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

 

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>
  </localfile>

 

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

[Gustavo Choquevilca]

The EventIDs are examples, here I found a link with some IDs, I'm not sure if this information can be useful to you, you can still see it.

[Franck Ehret]

Hi Gustavo,

(Please forget the private reply - Reply to author button should be disabled, there is no added value to it, except mistakes!)

In short so anybody can see:

-  MS Defender new functionality can check/analyze LDAP queries, which are generated in Directory Service logs. That is the reason why I wanted to get them.

More info (but not so much): https://docs.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2177 

- If there is a way to absorb those events (Active Directory Web Services, DFS Replication, Directory Services & DNS Server) ? 

That would be nice for troubleshooting reasons, I like the ELK interface (but not confident writing new rules for them! - You can help)
- I always got the events from Application/System & Security, this is part of the default agent configuration. No problem there.

- Maybe I'm not understanding the vulnerabilities concept, but I have the impression it doesn't work all the time. Could it be related to "patching too fast", I usually release patches a few days after Patch Tuesday.

- I miss a dashboard with overall vulnerabilities (so tendencies for all agents cumulated). I have the impression it was there when I started using Wazuh, but I could be wrong. Anyway this could be nice!

Thanks for all!

Kind regards

Franck

[Franck Ehret]

Here is a vulnerabilities dashboard possibility/suggestion (based on events one):

[Gustavo Choquevilca]

Hello Franck, I hope you have a good day!

Another approach you can take to collect these events is by using syslog. 

                                                                    

If you know where the logs are stored, you can send them to Wazuh. Here I share more information. 

Regarding the vulnerability scan, you are right, it is likely that the patches that are applied to your systems are taking effect and that is why you cannot see the vulnerabilities.

I recommend that you modify the vulnerability scan interval to be able to see more frequently found vulnerabilities, this setting is done in the file: /var/ossec/etc/ossec.conf on the agent and managers.

You should configure the interval in the agent(/var/ossec/etc/ossec.conf), reduce it to 5m for example:

You should configure the interval in the managers(/var/ossec/etc/ossec.conf), reduce it to 5m for example:

Here you can find more detail about vulnerability scanning settings. 

I hope I can help you with these new recommendations!! . Regards!