Windows bitlocker monitoring
Stefan Penchev
<group name="Bitlocker">
<rule id="900004" level="11">
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.channel">^Microsoft-Windows-BitLocker/BitLocker Management$</field>
<field name="EventID">^778$</field>
<description>Windows Bitlocker: Drive was reverted to an unprotected state</description>
<options>no_full_log</options>
</rule>
</group>
At windows endpoint in ossec.conf i have the channel log monitored:
<localfile>
<location>Microsoft-Windows-BitLocker/BitLocker Management</location>
<log_format>eventchannel</log_format>
</localfile>
Md. Nazmur Sakib
I am looking into your issue. I will get back to you soon with my findings.
Md. Nazmur Sakib
There are some small errors in your rule. The field name should be win.system.eventID for the eventID
<field name="win.system.eventID">^778$</field>
This rule matches another lower-level rule from the Windows rule group. So you need to mention the parent rule ID or rule group in the child rule.
While making a custom Windows eventchannel rule, it is safe to use the parent rule group as windows
<if_group>windows</if_group>
Use ID numbers between 100000 and 120000 for custom rules to avoid conflicts with out-of-the-box system rules.
<group name="Bitlocker,windows,">
<rule id="100104" level="11">
<if_group>windows</if_group>
<field name="win.system.channel">^Microsoft-Windows-BitLocker/BitLocker Management$</field>
<field name="win.system.eventID">^778$</field>
<description>Windows Bitlocker: Drive was reverted to an unprotected state</description>
<options>no_full_log</options>
</rule>
</group>
I was able to reproduce this alert using the above rule in my local environment.
Check these documents to learn more about the rule syntax.
Rules Syntax
Check this reference link to find out how to test Windows eventchannel logs with the ruleset test tool.
https://groups.google.com/g/wazuh/c/BjmzMmKZQJQ/m/9EFloqTtEQAJ
Let me know if this resolves your issue.