Wazuh Alert Set Up Guide - Help Needed

78 views
Skip to first unread message

Daria Leonteva

unread,
Jun 10, 2024, 3:53:01 AM6/10/24
to Wazuh | Mailing List
Good afternoon All,

I am new to Wazuh SIEM and trying to implement it. I have tried to implement alerts for events such as:

1. Detecting Brute Force Attacks
2. Identify when the Scheduled Task is created

However, I also ran into the issues, everything seem to be working but no alert in Wazuh generated (sometimes it stops/crashes , but it's good that I have a backup copy I can just revert back).

Can you someone please give clear instructions on how to implement it? I read the documentation, but I can not put the pieces together on how to start. 


Thank you,
Daria L

Cedrick Foko

unread,
Jun 10, 2024, 5:37:48 AM6/10/24
to Wazuh | Mailing List
Hello Daria,

For brute force attack detection, you can follow the steps provided in this proof-of-concept guide:  Detecting a brute-force attack - Proof of Concept guide (wazuh.com)
It explains how to run a brute force attack against Windows and Linux agents and visualize alerts on the dashboard.

Regarding the scheduled tasks, you can find the step-by-step guide to identify scheduled tasks on windows agents in the following blog:  Monitoring Windows task scheduler to detect attack persistence | Wazuh

I hope this helps.
Please let me know if you need any further help here.

Daria Leonteva

unread,
Jul 26, 2024, 1:39:17 AM7/26/24
to Wazuh | Mailing List
Good afternoon Cedrick,

I was following the article about the scheduled task , and I have set and everything on Wazuh side and sysmon on the server, but it does not work. The event even does not appear on the Wazuh dashboard when I schedule the task on the server with command line. 

I have manually added the "C:\Program Files (x86)\ossec-agent\active-response\bin\analyze-scheduled-task.cmd" 
specifically "analyze.schedulred-task.cmd" based on this path. Should it be generated automatically or I do need do add it manually?

Also, the when I test the the functionality with creating a scheduled task though this command "schtasks /create /tn test-task /tr "C:\Windows\System32\calc.exe" /sc onlogon /ru System /f"
the active response log is not generated automatically here "C:\Program Files (x86)\ossec-agent\logs\scheduled-tasks.log". 
I tried to add it manually and again it does not work. 

Can you please advise what could be the potential issue?

Thank you,
Daria 
Reply all
Reply to author
Forward
0 new messages