Service Install Alert

[Prajapati Hitesh]

Hello,

How to trigger mail alert if any service will install in windows server. 

[Mauricio Ruben Santillan]

Hello Prajapati,

In order to get email alerts from a specific Windows event type, once you have configured your Generic email options, you should create a custom rule for these events so you can trigger email alerts using a granular email module.

According to Windows documentation here, the event ID for "a service was installed on the system" is 4697.

So in order to get alerts from these events, you would need to use a rule like next one:

<rule id="100050" level="3">
  <if_group>windows</if_group>
  <field name="win.system.eventID">4697</field>
  <options>no_full_log</options>
  <description>Windows alert: A service was installed on the system.</description>
</rule>

This will make Wazuh to create alerts with rule.id 100050 whenever a Windows event with eventID 4697 is ingested by Wazuh.

Now, for the agent to report these events, it needs to have its corresponding localfile module on its ossec.conf file. By default it is already included and looks as follows:

    <localfile>
      <location>Security</location>
      <log_format>eventchannel</log_format>
      <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157]</query>
    </localfile>

Once you have all this set, you just need to add the corresponding email_alerts module into your Wazuh Manager's ossec.conf to generate the email alerts:

<email_alerts>
  <email_to>y...@example.com</email_to>
  <rule_id>100050</rule_id>
  <do_not_delay />
</email_alerts>

Make sure to add your own email address to the module.

Let me know how it goes!