wazuh-agent: ERROR: Could not EvtSubscribe() for (SentinelOne/Operational) which returned (15001)

[Daniel D'Angeli]

Hi,

i'm trying to gather event logs from Event registry for Sentinelone but this error keeps appearing.

The shared conf is the following:

<agent_config> <localfile> <location>SentinelOne/Operational</location> <log_format>eventchannel</log_format> <query>Event/System[EventID == 31 or EventID == 32]</query> </localfile> </agent_config>

Any tips?

Regards,

Daniel D.

[Sebastian Falcone]

Hello Daniel, I can't see the error 

[Daniel D'Angeli]

Hi,

the error was in the subject but is the following: wazuh-agent: ERROR: Could not EvtSubscribe() for (SentinelOne/Operational) which returned (15001)

Regards,

Daniel D.

[Sebastian Falcone]

Try rewriting the block this way:
   <agent_config> <localfile> <location>SentinelOne/Operational</location> <log_format>eventchannel</log_format> <query>Event[EventID = 31 or EventID = 32]</query> </localfile> </agent_config>

[Daniel D'Angeli]

hi,

the configuration you provided doesn't give any errors but i still cant see the logs on the Wazuh GUI when present in the event viewer.

Wazuh agent config:

<localfile> <location>SentinelOne/Operational</location> <log_format>eventchannel</log_format> </localfile>

Rules created:

<group name="sentinelone">

    <rule id="100016" level="12">
        <field name="data.win.system.eventID">^31</field>
        <description>SentinelOne: Malware detected on $(data.win.system.computer)</description>
        <options>alert_by_email</options>
    </rule>
   
    <rule id="100017" level="8">
        <field name="data.win.system.eventID">^32</field>
        <field name="data.win.eventdata.action">^Quarantine</field>
        <field name="data.win.eventdata.result">^Success</field>
        <description>SentinelOne: Malware has been quarantined successfully</description>
    </rule>
   
    <rule id="100018" level="8">
        <field name="data.win.system.eventID">^32</field>
        <field name="data.win.eventdata.action">^Kill</field>
        <field name="data.win.eventdata.result">^Success</field>
        <description>SentinelOne: Malware has been killed successfully</description>
    </rule>
   
    <rule id="100019" level="8">
        <field name="data.win.system.eventID">^32</field>
        <field name="data.win.eventdata.result" negate="yes">^Success</field>
        <description>SentinelOne: failed to take action on Malware</description>
    </rule>
   
    <rule id="100020" level="15" frequency="5" timeframe="3600">
        <if_matched_sid>100019</if_matched_sid>
        <same_system_name />
        <description>SentinelOne: unable to take action on Malware. Check host $(data.win.system.computer)</description>
        <options>alert_by_email</options>
    </rule>

</group>

When i download eicar (malware sample) the event 31 gets triggered for detection and event 32 gets triggered for deletion but none of them are on Wazuh GUI.

Any tips?

Regards,

Daniel D.

[Sebastian Falcone]

Hi, seems I've got a typo on the configuration. I've removed the /System from the configuration, by accident
<agent_config> <localfile> <location>SentinelOne/Operational</location> <log_format>eventchannel</log_format> <query>Event/System[EventID = 31 or EventID = 32]</query> </localfile> </agent_config>
Let me know if this solves the issue

[Daniel D'Angeli]

Hi,

i've removed the <query> parameter since i want to gather all the events. The current configuration is the following:

<localfile> <location>SentinelOne/Operational</location> <log_format>eventchannel</log_format> </localfile>

I only have the wazuh-alerts index, so i created the following rules to create alerts:

The events are correctly generated on the machine as per the following image:

In the Wazuh agent logs there are no error appearing, but i still cant seem to get the SentinelOne events to be available in the Discover section of the Wazuh GUI.

Any tips on what i am missing?

Regards,

Daniel D.

[Sebastian Falcone]

Lets go back a bit. Are we completely sure that sentinelOne logs are located on the eventchannel?

[Daniel D'Angeli]

Did you even see the image attached? Yes it is located under SentinelOne/Operational and the Wazuh agent correctly finds its saying "Analyzing SentinelOne/Operational"

[Sebastian Falcone]

Can you provide an example of the logs you want to monitor? Lets check if the rules are okay

[Daniel D'Angeli]

Hi,

i have attached an export of the events from the Event Viewer. The rules created can be found in earliers answers.

Regards,

Daniel D.

[Sebastian Falcone]

Really sorry for the delay, I will ask you to put the agent on debug mode to better see what's going on

For that, we will need to modify the internal_options.conf file and add a line with agent.debug=2

[Daniel D'Angeli]

Hi,

i've setup agent.debug=2 as suggested but in the log file there are no new lines regarding SentinelOne.

The only log that was appearing when setting the log_format to eventlog was: non standard event log set "SentinelOne/Operation" but it doesn't appear when setting log_format to eventchannel

Any tips?

Regards,
Daniel D.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/pvnzpCqpcpo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/43e25974-6082-48f4-be94-191afbe743f0n%40googlegroups.com.

--

Daniel D'Angeli Security Analyst Sync Security S.r.l. Mail: daniel....@syncsecurity.it Website: www.syncsecurity.it ROMA - MILANO - NAPOLI - PADOVA - VERONA

[Sebastian Falcone]

I was talking with the team. The SentinelOne logs integration with Wazuh must be developed to allow what you want to do

I kindly ask you to open an issue requesting this feature (here)