Wazuh custom rule

[natasa jezdimirovic]

Hello,

I want to make an exception for tasks created by User S-1-5-20 where the task name begins with \\Microsoft\\Windows\\GroupPolicy. 

I tried something in rule below but that doesn't work.

I have custom rule for ignoring some Task Scheduler tasks,
 <rule id="112000" level="10">

    <if_group>windows</if_group>
    <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Office\\\\Office Feature Updates</field>
    <field name="win.eventdata.taskName" negate="yes">^\\\\OneDrive Reporting Task</field>
    <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\USO_UxBroker</field>
    <field name="win.system.message" negate="yes">^"User "S-1-5-20"  registered Task Scheduler task "\\\\Microsoft\\\\Windows\\\\GroupPolicy</field>

   
    <description>Task Scheduler registered</description>
 </rule>

[Olamilekan Abdullateef Ajani]

Hello,

The syntax in the rule you created for the last value is not accurate. I have made a correction below. Please modify at will to suit your use case. I also tested this to see it works, please see attached.

<group name="custom test,">

 <rule id="112000" level="10">
    <if_group>windows</if_group>

    <field name="win.eventdata.taskName" type="pcre2" negate="yes">^\\\\Microsoft\\\\Windows\\\\GroupPolicy.*</field>
    <field name="win.eventdata.subjectUserSid" type="pcre2" negate="yes">^S-1-5-20.*</field>

    <description>Task Scheduler registered</description>
</rule>

</group>

This would match the field,  win.eventdata.taskName and win.eventdata.subjectUserSid, then negate them. I used the negate to follow what you did in your rule. I believe you do not want the rule to trigger when the events match.

You can find further references to syntax in the documentation below. Please let me know if you require further assistance on this.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#os-regex-syntax

[natasa jezdimirovic]

Hello,

Thank you for your answer, that is what I need.  But i need also to keep other conditions in that rule (1,2,3):

How can I combine that?

 <rule id="112000" level="10">

    <if_group>windows</if_group>

  1.  <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Office\\\\Office Feature Updates</field> 
  2. <field name="win.eventdata.taskName" negate="yes">^\\\\OneDrive Reporting Task</field>
  3. <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\USO_UxBroker</field>

    <field name="win.system.message" negate="yes">^"User "S-1-5-20"  registered Task Scheduler task "\\\\Microsoft\\\\Windows\\\\GroupPolicy</field>

   
    <description>Task Scheduler registered</description>
 </rule>

[Olamilekan Abdullateef Ajani]

Hello,

You just need to append the rule I shared to the one you currently have to look like the block below.

<rule id="112000" level="10">
    <if_group>windows</if_group>
    <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Office\\\\Office Feature Updates</field>
    <field name="win.eventdata.taskName" negate="yes">^\\\\OneDrive Reporting Task</field>
    <field name="win.eventdata.taskName" negate="yes">^\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\USO_UxBroker</field>

    <field name="win.eventdata.taskName" type="pcre2" negate="yes">^\\\\Microsoft\\\\Windows\\\\GroupPolicy.*</field>
    <field name="win.eventdata.subjectUserSid" type="pcre2" negate="yes">^S-1-5-20.*</field>  
    <description>Task Scheduler registered</description>
 </rule>

But remember, all the conditions (fields) in this rule will have to be evaluated before it can trigger, meaning the task name is NOT one of the common benign system tasks listed, and it was NOT created by the NETWORK SERVICE account

Please let me know if you require further explanation on this.

[natasa jezdimirovic]

Hello,

I want to ignore events from user S-1-5-20 only for tasks that begin with
\\Microsoft\\Windows\\GroupPolicy, not for all tasks created by S-1-5-20.
I also want to keep my other rules unchanged.

That’s the issue I’m facing.

[Olamilekan Abdullateef Ajani]

Hello,

Then the previous rule I share does exactly that.

<group name="custom test,">

 <rule id="112001" level="10">
    <if_group>windows</if_group>

    <field name="win.eventdata.taskName" type="pcre2" negate="yes">^\\\\Microsoft\\\\Windows\\\\GroupPolicy.*</field>
    <field name="win.eventdata.subjectUserSid" type="pcre2" negate="yes">^S-1-5-20.*</field>

    <description>Task Scheduler registered</description>
</rule>

</group>

You can place this at the top of your rule so it gets evaluated first. OR you may also write another rule to capture those events and ignore them by setting the value of the rule level to 0, and remove the negate option from the rule. That way you keep your previous rules intact.

<group name="custom test,">

 <rule id="112003" level="0">
    <if_group>windows</if_group>

    <field name="win.eventdata.taskName" type="pcre2" >^\\\\Microsoft\\\\Windows\\\\GroupPolicy.*</field>
    <field name="win.eventdata.subjectUserSid" type="pcre2" >^S-1-5-20.*</field>

    <description>Task Scheduler registered</description>
</rule>

</group>

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html