Visualizing Windows Updates information in a custom Dasboard

91 views
Skip to first unread message

Todor Dimitrov

unread,
Nov 26, 2024, 5:22:49 AM11/26/24
to Wazuh | Mailing List
Greetings professionals, 

Is there a way to visualize the Windows Updates information like the screenshot that i will attach with this question? My idea is that i want to be able to create a custom visualization of what version of windows is installed on any single agent, what is the latest update version available and be able to filter them by agent.name. Thank you for your time. 

Regards, 

Todor Dimitrov
Screenshot 2024-11-26 120018.png

Md. Nazmur Sakib

unread,
Nov 26, 2024, 6:34:53 AM11/26/24
to Wazuh | Mailing List

Hi Todor,



You can see this information in the Inventory Data Dashabord of your endpoint.




The Dashboard is made from syscollector scan result data.

You can make custom Dashboards from alert data. By default, syscollector does not trigger alerts.

So first you need to write custom rules to trigger alerts for your syscollector data.

You can check these doceumnt for assistance with creating rules:

Using Syscollector information to trigger alerts
Rules

Rules Syntax

Follow this document to create custom dashboards:

https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/creating-custom-dashboards.html

As Wazuh does not have this information about the latest updated version available from the log it will not be possible to visualize it in the dashboard.

I hope you find this information useful.

Todor Dimitrov

unread,
Nov 27, 2024, 7:09:31 AM11/27/24
to Wazuh | Mailing List
Hi Nazmur, 

Would you be able to help me create this custom rule to get the information from this wodle command that runs a powershell command to get the information that i need regarding the Windows Updates:
      <wodle name="command">
<disabled>no</disabled>
<tag>WinUpdates</tag>
<command>Powershell -c "Get-WmiObject -Class win32_quickfixengineering | ForEach-Object { @{Description = $_.Description; HotFixID = $_.HotFixID; InstalledOn = $_.InstalledOn } } | ConvertTo-Json -Compress"</command>
<interval>12h</interval> 
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
    </wodle>

I've added the wodle command on top to the Windows machine agent. 
I created some custom rules in /var/ossec/etc/rules/windows_update.xml but i don't think they are working properly. Here is what i've done so far:

<group name="WinUpdates,">
  
    <rule id="100500" level="0">
        <decoded_as>json</decoded_as>
        <match>^{"Description":</match>
        <description>Windows Update Information: $(Description)</description>
        <group>windows,updates</group>
    </rule>
   
    <rule id="100501" level="3">
        <if_sid>100500</if_sid>
        <field name="Description">.*</field>
        <description>Windows Update Description: $(Description)</description>
        <group>windows,updates</group>
    </rule>
   
    <rule id="100502" level="3">
        <if_sid>100500</if_sid>
        <field name="HotFixID">.*</field>
        <description>Windows Update HotFixID: $(HotFixID)</description>
        <group>windows,updates</group>
    </rule>

    <rule id="100503" level="3">
        <if_sid>100500</if_sid>
        <field name="InstalledOn">.*</field>
        <description>Windows Update InstalledOn: $(InstalledOn)</description>
        <group>windows,updates</group>
    </rule>

</group>

I was following the same kind of syntax as the windows hardware counters but it didn't work for me. Can you please help me?

Regards, 

Todor

Md. Nazmur Sakib

unread,
Nov 28, 2024, 1:19:32 AM11/28/24
to Wazuh | Mailing List

Your command generates logs in this format.


[{"Description":"Update","InstalledOn":{"value":"\/Date(1731434400000)\/","DateTime":"13 November 2024 00:00:00"},"HotFixID":"KB5045933"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710093600000)\/","DateTime":"11 March 2024 00:00:00"},"HotFixID":"KB5034468"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710093600000)\/","DateTime":"11 March 2024 00:00:00"},"HotFixID":"KB5011048"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710180000000)\/","DateTime":"12 March 2024 00:00:00"},"HotFixID":"KB5015684"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710093600000)\/","DateTime":"11 March 2024 00:00:00"},"HotFixID":"KB5020683"},{"Description":"Security Update","InstalledOn":{"value":"\/Date(1731434400000)\/","DateTime":"13 November 2024 00:00:00"},"HotFixID":"KB5046613"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710180000000)\/","DateTime":"12 March 2024 00:00:00"},"HotFixID":"KB5035225"},{"Description":"Update","InstalledOn":{"value":"\/Date(1710352800000)\/","DateTime":"14 March 2024 00:00:00"},"HotFixID":"KB5036447"},{"Description":"Security Update","InstalledOn":{"value":"\/Date(1713290400000)\/","DateTime":"17 April 2024 00:00:00"},"HotFixID":"KB5037018"},{"Description":"Update","InstalledOn":{"value":"\/Date(1715623200000)\/","DateTime":"14 May 2024 00:00:00"},"HotFixID":"KB5037240"},{"Description":"Update","InstalledOn":{"value":"\/Date(1718215200000)\/","DateTime":"13 June 2024 00:00:00"},"HotFixID":"KB5037995"},{"Description":"Update","InstalledOn":{"value":"\/Date(1720548000000)\/","DateTime":"10 July 2024 00:00:00"},"HotFixID":"KB5039336"},{"Description":"Security Update","InstalledOn":{"value":"\/Date(1723658400000)\/","DateTime":"15 August 2024 00:00:00"},"HotFixID":"KB5041579"},{"Description":"Security Update","InstalledOn":{"value":"\/Date(1725991200000)\/","DateTime":"11 September 2024 00:00:00"},"HotFixID":"KB5043935"},{"Description":"Update","InstalledOn":{"value":"\/Date(1728410400000)\/","DateTime":"09 October 2024 00:00:00"},"HotFixID":"KB5043130"},{"Description":"Update","InstalledOn":{"value":"\/Date(1731434400000)\/","DateTime":"13 November 2024 00:00:00"},"HotFixID":"KB5046823"}]


Which are not decoded by JSON decoder. So you need to write decoders as well.

I am sharing some example decoders and rules


<decoder name="win_updates">

  <prematch>^\.+HotFixID\.+InstalledOn</prematch>

</decoder>



<decoder name="win_updates-child">

  <parent>win_updates</parent>

  <regex>DateTime":"(\.+)"\.+HotFixID":"(\.+)"</regex>

  <order>datetime1,hotfixID1</order>

</decoder>


<decoder name="win_updates-child">

  <parent>win_updates</parent>

  <regex>DateTime":"\.+"\.+HotFixID":"\.+"DateTime":"(\.+)"\.+HotFixID":"(\.+)"</regex>

  <order>datetime2,hotfixID2</order>

</decoder>


<decoder name="win_updates-child">

  <parent>win_updates</parent>

  <regex>DateTime":"\.+"\.+HotFixID":"\.+"DateTime":"\.+"\.+HotFixID":"\.+"\.+{("\.+}\.+)}</regex>

  <order>hotfixID3</order>

</decoder>



Rule.


<group name="WinCounter,">

    <rule id="100503" level="3">

        <decoded_as>win_updates</decoded_as>

        <description>Windows Update Hotfix</description>

        <group>windows,updates</group>

    </rule>

</group>



This should trigger an alert like this.



These are sample decoders and rules. Adjust them based on your needs. I am sharing a document that can be useful for writing decoders and rules.


Ref: https://documentation.wazuh.com/current/user-manual/ruleset/index.html


I hope you find this information useful.

Todor Dimitrov

unread,
Nov 28, 2024, 10:09:32 AM11/28/24
to Wazuh | Mailing List
Hi Nazmur, 

Thank you for that, i appreciate your quick response. It works fine for me. Have a great day.

Regards, 

Todor

Reply all
Reply to author
Forward
0 new messages