How to Extract Windows Message Title

[Ranjith Kesavan]

Hi Team, 

 

I have been using Wazuh for a while now and its awesome. However, I am stuck with one requirement. We have Wazuh decoding Windows events with JSON decoder. I want to have one field which only shows the title from data.win.system.message. 

 

Example : 

 

"An account was logged off.

 

Subject:

            Security ID:                   S-1-5-21-1251468313-4219967479-562825607-1356

            Account Name:              test_user

            Account Domain:            Sample.Domain

            Logon ID:                      0x24639810

 

Logon Type:                              3

 

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."

 

 

I want to extract only “An account was logged off.” as data.win.system.message.title. Can this be done somehow with the JSON decoder, may be by adding a child decoder ?  If it has to be done with a Rule, what would be the best approach to do this for all Windows Logs ?

Thank you In advance,

Ranjith. 

[Jose Luis Carreras Marin]

Hi Ranjith,

You need to create a new child decoder that extract just the field you want. Then add a custom rule that trigger with that. If you want tell me about a more specifically case.

Regards, Jose.

[Ranjith Kesavan]

Hi Jose, 

Thanks for the quick response. I tried to have a child decoder which doesn't seem to work. 

here is the full log : 

{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4656","version":"1","level":"0","task":"12812","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-03T12:41:53.308655200Z","eventRecordID":"37277348","processID":"560","threadID":"568","channel":"Security","computer":"testhost.testdomain.Local","severityValue":"AUDIT_SUCCESS","message":"\"A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\ttesthost$\r\n\tAccount Domain:\t\ttestdomain\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\t\\Device\\Floppy0\r\n\tHandle ID:\t\t0x624\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x570\r\n\tProcess Name:\t\tC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tREAD_CONTROL\r\n\t\t\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadEA\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x120089\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"testhost$","subjectDomainName":"testdomain","subjectLogonId":"0x3e7","objectServer":"Security","objectType":"File","objectName":"\\\\Device\\\\Floppy0","handleId":"0x624","transactionId":"{00000000-0000-0000-0000-000000000000}","accessList":"%%1538      %%1541      %%4416      %%4419      %%4423","accessMask":"0x120089","restrictedSidCount":"0","processId":"0x570","processName":"C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe"},"keywords":{"keyword":"Audit Success"}}}

I want to extract "A handle to an object was requested" as eventTitle

This is the child decoder I tried: 

<decoder name="json">

  <prematch>^{\s*"</prematch>

  <plugin_decoder>JSON_Decoder</plugin_decoder>

</decoder>

<decoder name="Windows-logs">

 <parent>json</parent>

 <prematch>^{"win"</prematch>

 <regex>"message":"\\"(\.+).</regex>

 <order>eventTitle</order>

</decoder>

Am I missing something ? 

[Jose Luis Carreras Marin]

Hi, Ranjith,

I'm sorry to say that there are no easy solutions to this.

Those kind of events come from "eventchannel" and are decoded in C code, it's in this file:

/wazuh/src/analysisd/decoders/winevtchannel.c

In function:       

 int DecodeWinevt(Eventinfo *lf)

So it's not possible to use a different decoder. One possible option would be to edit this function, although you would change all the events on "eventchannel".

Another possible solution would be to change the way the events are obtained, change "eventchannel" to "eventlog", although it is a somewhat older system and perhaps deprecated. You can see more information here:

https://documentation.wazuh.com/3.11/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html

With eventlog, you can do a decoder and get your message.title.

I hope this can help you.

[Ranjith Kesavan]

Well In that case the only way around, I can think of would be to use Scripted fields in Kibana. create a array of objects with event IDs and mapping Event Titles and make "EventTitle" a scripted field. I will investigate on this option. Thanks for your the update. 

[Rhys Evans]

Hi,

I had the same problem, and as we go through logstash we went with a dictionary file and a lookup against that file

File was eventid -> human readable description

Be careful with the kibana approach as, when going into the Wazuh interface (and a timer) they reset some settings on the index pattern, which can make some settings undo themselves.

Thanks

[Elwali Karkoub]

Hello Ranjith,

If you are taking the path to use scripted field following is the script in painless :

if (doc['data.win.system.message'].size()==0) {
    return "doc with no win Message "
} else {
     return doc['data.win.system.message'].value.splitOnToken('.')[0];
}

Note that starting from 7.x elasticsearch you have to check if the field exists, thus my if condition.

As you can see below i have the winMessageTitle with only the title :



In other documents where win message does not exist you will have something similar to :




Full information of the field used  :



Hope this helps,

Regards,
Wali

[Elwali Karkoub]

Re-uploading the screenshots :

[Ranjith Kesavan]

Hi Elwali, 

wow, that was great Support. Thank you for the help. For now, I managed to use LogStash filter to extract the Event title. But your painless script gave a good idea regarding how to process many other logs. 

[Elwali Karkoub]

Hello Ranjith,

Glad you find it useful.

Regards,
Wali