How to log Events in Microsoft-Windows-DriverFrameworks-UserMode Windows Event Viewer

[Víctor Ariel Hermosa Riveros]

I need to log events that are registered in Microsoft-Windows-DriverFrameworks-UserMode; specifically Events 2100, 2101, 2102, 2003, 2104, 2105, 2106. The events are logged in archives.log and archive.json but no alerts is showing in Wazuh Dashboard

 

[root@wazuh-server ~]# tail -f /var/ossec/logs/archives/archives.json | grep nb16032201 | grep 2102

{"timestamp":"2022-10-03T23:05:42.706+0000","agent":{"id":"001","name":"nb16032201","ip":"192.168.100.4"},"manager":{"name":"wazuh-server"},"id":"1664838342.2258536","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-DriverFrameworks-UserMode\",\"providerGuid\":\"{2e35aaeb-857f-4beb-a418-2e6c0e54d988}\",\"eventID\":\"2102\",\"version\":\"1\",\"level\":\"4\",\"task\":\"37\",\"opcode\":\"2\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-10-03T23:05:41.7037464Z\",\"eventRecordID\":\"85172\",\"processID\":\"1344\",\"threadID\":\"8584\",\"channel\":\"Microsoft-Windows-DriverFrameworks-UserMode/Operational\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Se reenvió una operación PnP o de energía (22, 2) al controlador de menor nivel para el dispositivo USB\\\\VID_06CB&PID_00DA\\\\49636F1B0466 con el estado 0xC00000BB.\\\"\"},\"uMDFHostDeviceRequest\":{\"lifetimeId\":\"{b56df501-5ccc-4a32-afeb-e09bbbbe5763}\",\"instanceId\":\"USB\\\\\\\\VID_06CB&PID_00DA\\\\\\\\49636F1B0466\",\"requestMajorCode\":\"22\",\"requestMinorCode\":\"2\",\"argument1\":\"0x100000000\",\"argument2\":\"0x4\",\"argument3\":\"0x0\",\"argument4\":\"0x0\",\"status\":\"3221225659\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-DriverFrameworks-UserMode","providerGuid":"{2e35aaeb-857f-4beb-a418-2e6c0e54d988}","eventID":"2102","version":"1","level":"4","task":"37","opcode":"2","keywords":"0x8000000000000000","systemTime":"2022-10-03T23:05:41.7037464Z","eventRecordID":"85172","processID":"1344","threadID":"8584","channel":"Microsoft-Windows-DriverFrameworks-UserMode/Operational","computer":"nb16032201.bepsa.com.py","severityValue":"INFORMATION","message":"\"Se reenvió una operación PnP o de energía (22, 2) al controlador de menor nivel para el dispositivo USB\\VID_06CB&PID_00DA\\49636F1B0466 con el estado 0xC00000BB.\""},"uMDFHostDeviceRequest":{"lifetimeId":"{b56df501-5ccc-4a32-afeb-e09bbbbe5763}","instanceId":"USB\\\\VID_06CB&PID_00DA\\\\49636F1B0466","requestMajorCode":"22","requestMinorCode":"2","argument1":"0x100000000","argument2":"0x4","argument3":"0x0","argument4":"0x0","status":"3221225659"}}},"location":"EventChannel"}

[Mauricio Ruben Santillan]

Hello!

A rule such as next one should trigger alerts for the named events:

<group name="windows-custom, ">

  <rule id="150001" level="7">

    <if_group>windows</if_group>

    <field name="win.system.providerName">^Microsoft-Windows-DriverFrameworks-UserMode$</field>

    <field name="win.system.eventID">^2100$|^2101$|^2102$|^2003$|^2104$|^2105$|^2106$</field>

    <description>Event from 'Microsoft-Windows-DriverFrameworks-UserMode'</description>

  </rule>

</group>

When creating custom rules for Windows events, using <if_group>windows</if_group> will asure you the rule will be used to analyze your events.

Make sure to set a proper ID to it (a not-existing one). You can of course, divide this rule into many so you can have different rule IDs for each event type.
There's information about custom rules next:

• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

I hope this helps!

[Víctor Ariel Hermosa Riveros]

Thank you Very Much!!!

It worked, and It worked like charm!!!!

Again Thanks!!!