Cylance Issues
233 views
Skip to first unread message
ranxerox
Dec 23, 2021, 11:56:09 AM12/23/21
to Wazuh mailing list
Hello
I am having some issues to ingest Cylance events on Wazuh. I am using Wazuh 4.2 and had configurated the Cylance console to send events via SYSLOG:
2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX
The events are coming and the ossec.conf is correctly configurated, but none alert in the Wazuh dash.
Some idea?
Thanks
Eduardo Braga
I am having some issues to ingest Cylance events on Wazuh. I am using Wazuh 4.2 and had configurated the Cylance console to send events via SYSLOG:
2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX
The events are coming and the ossec.conf is correctly configurated, but none alert in the Wazuh dash.
Some idea?
Thanks
Eduardo Braga
Christian Borla
Dec 24, 2021, 6:17:06 AM12/24/21
to Wazuh mailing list
Hi Eduardo!
I hope you are doing fine!
To be sure about the Cylance configuration, it's possible check if events arrives to Wazuh Manager, look for some Cylance events into /var/ossec/logs/archive/archive.json, that file contains all raw data.
To enable archive.json logs configure logall and logall_json into /var/ossec/etc/ossec.conf manager side.
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
If there is not Cylance events in archive.json file, events does not arrives to Manager, I could be a configuration issue.
Check remote configuration, should looks like following configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
I other hand, if events arrives to archive.json file, it's possible check Decoders and Ruleset configured. Into manager side, run /var/ossec/bin/wazuh-logtest, and paste a sample log, it should process as following lines.
Starting wazuh-logtest v4.4.0
Type one log per line
2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX
**Phase 1: Completed pre-decoding.
full event: '2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX'
timestamp: '2021 Dec 23 16:11:23'
**Phase 2: Completed decoding.
name: 'CylancePROTECT_2.0'
CylancePROTECT.Action: 'Terminated'
CylancePROTECT.Device.ID: 'bf084741-365a-4b32-8122-17550a331b2e'
CylancePROTECT.Device.Name: 'XXXX'
CylancePROTECT.Event.Name: 'terminated'
CylancePROTECT.Event.Type: 'ExploitAttempt'
CylancePROTECT.Policy.Name: 'XXXXXXXX'
CylancePROTECT.Process.ID: '3356'
CylancePROTECT.Process.Name: 'ImagePathNotFound'
CylancePROTECT.Username: 'XXXXXXX'
CylancePROTECT.Violation.Type: 'Remote Thread Creation'
CylancePROTECT.Zone.Names: 'XX'
**Phase 3: Completed filtering (rules).
id: '65702'
level: '6'
description: 'Cylance: Exploit Attempt was discovered within the ImagePathNotFound process. | Violation Type: Remote Thread Creation | User: XXXXXXX | Device Name: XXXX'
groups: '['CylancePROTECT_2.0gdpr_IV_35.7.d']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
I hope it will help you, let me know if that works.
Regards!
I hope you are doing fine!
To be sure about the Cylance configuration, it's possible check if events arrives to Wazuh Manager, look for some Cylance events into /var/ossec/logs/archive/archive.json, that file contains all raw data.
To enable archive.json logs configure logall and logall_json into /var/ossec/etc/ossec.conf manager side.
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
If there is not Cylance events in archive.json file, events does not arrives to Manager, I could be a configuration issue.
Check remote configuration, should looks like following configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
I other hand, if events arrives to archive.json file, it's possible check Decoders and Ruleset configured. Into manager side, run /var/ossec/bin/wazuh-logtest, and paste a sample log, it should process as following lines.
Starting wazuh-logtest v4.4.0
Type one log per line
2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX
full event: '2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX'
timestamp: '2021 Dec 23 16:11:23'
**Phase 2: Completed decoding.
name: 'CylancePROTECT_2.0'
CylancePROTECT.Action: 'Terminated'
CylancePROTECT.Device.ID: 'bf084741-365a-4b32-8122-17550a331b2e'
CylancePROTECT.Device.Name: 'XXXX'
CylancePROTECT.Event.Name: 'terminated'
CylancePROTECT.Event.Type: 'ExploitAttempt'
CylancePROTECT.Policy.Name: 'XXXXXXXX'
CylancePROTECT.Process.ID: '3356'
CylancePROTECT.Process.Name: 'ImagePathNotFound'
CylancePROTECT.Username: 'XXXXXXX'
CylancePROTECT.Violation.Type: 'Remote Thread Creation'
CylancePROTECT.Zone.Names: 'XX'
**Phase 3: Completed filtering (rules).
id: '65702'
level: '6'
description: 'Cylance: Exploit Attempt was discovered within the ImagePathNotFound process. | Violation Type: Remote Thread Creation | User: XXXXXXX | Device Name: XXXX'
groups: '['CylancePROTECT_2.0gdpr_IV_35.7.d']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
I hope it will help you, let me know if that works.
Regards!
ranxerox
Jan 4, 2022, 12:42:58 PM1/4/22
to Wazuh mailing list
Hi Christian!
Thanks for the help.
I tested as you recommended and the decoder does not match with the input:
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX
**Phase 1: Completed pre-decoding.
full event: '2021 Dec 23 16:11:23 wazuh->52.67.244.213 1 2021-12-23T16:11:18.488000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: terminated, Device Name: XXXX, IP Address: (192.168.XXX.XXX), Action: Terminated, Process ID: 3356, Process Name: ImagePathNotFound, User Name: XXXXXXX, Violation Type: Remote Thread Creation, Zone Names: (XX), Device Id: bf084741-365a-4b32-8122-17550a331b2e, Policy Name: XXXXXXXX'
timestamp: '2021 Dec 23 16:11:23'
**Phase 2: Completed decoding.
No decoder matched.
Should I consider the decoder installed deprecated? Where obtain the correct decoder?The header of the decoder installed is:
0430-cylance_decoders.xml
<!--
- Cylance decoders
- Created by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
- Cylance decoders
- Created by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
Regards!
Christian Borla
Jan 4, 2022, 3:36:47 PM1/4/22
to Wazuh mailing list
Hi Eduardo!
I hope you are doing fine!
I repeted the process with same log and it's working. I hope you are doing fine!
Please check if yours ruleset are the latest, /var/ossec/ruleset/decoders/0430-cylance_decoders.xml and /var/ossec/ruleset/rules/0485-cylance_rules.xml
Current decoder file:
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0430-cylance_decoders.xml
Current rules file:
https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0485-cylance_rules.xml
You can update decoder and rule files, after that restart the manager to apply the canges. To be aware, them will be replaced by defult rules if you update wazuh.
Also enable log collection and look for some Cylance logs into /var/ossec/logs/alerts/alerts.json
Let me know if this information is useful to you!
Regards.
ranxerox
Jan 25, 2022, 8:17:49 AM1/25/22
to Wazuh mailing list
Hi Christian!
I hope you are doing fine!
Excuse me for the delay.
I followed your recommendation: downloaded the updated Cylance decoder and rules files on the Github repository.
But after being installed at Wazuh manager I received the same result from wazuh-logtest. Do not have matches in the log evaluation.
I did a file comparison with the original XML file and the file on the Github repo, and are the same. The only diff is the date of the header.
I noted that in your sample the name of the decoder is "name: 'CylancePROTECT_2.0':"
Can you send me this same XML? Apparently, in the GitHub repo, the file is compatible with the old SYSLOG Cylance format.
Regards
Eduardo
I hope you are doing fine!
I followed your recommendation: downloaded the updated Cylance decoder and rules files on the Github repository.
But after being installed at Wazuh manager I received the same result from wazuh-logtest. Do not have matches in the log evaluation.
I did a file comparison with the original XML file and the file on the Github repo, and are the same. The only diff is the date of the header.
I noted that in your sample the name of the decoder is "name: 'CylancePROTECT_2.0':"
Can you send me this same XML? Apparently, in the GitHub repo, the file is compatible with the old SYSLOG Cylance format.
Regards
Eduardo
Reply all
Reply to author
Forward
0 new messages