Custom Rules
103 views
Skip to first unread message
Abd ElRahman Khalid
Jun 1, 2023, 10:46:05 AM6/1/23
to Wazuh mailing list
Hello Deers,
I'm trying to create a custom rule to detect the following Event ID's : (19090-19070-15268)
rule:
<group name="windows,">
<rule id="100001" level="10">
<!--<field name="win.system.channel">^Microsoft-Windows-Hyper-V-VMMS-Admin$</field>> -->
<field name="win.system.eventID">^15268$|^19070$|^19090$</field>
<description>Hit</description>
</rule>
</group>
<rule id="100001" level="10">
<!--<field name="win.system.channel">^Microsoft-Windows-Hyper-V-VMMS-Admin$</field>> -->
<field name="win.system.eventID">^15268$|^19070$|^19090$</field>
<description>Hit</description>
</rule>
</group>
but it doesn't hit, however, when I try to test it it works.
I need to generate an alert, pics will be attached for more understanding
Julio Gasco
Jun 2, 2023, 7:17:48 AM6/2/23
to Wazuh mailing list
Hi Abd,
<field name="win.system.eventID">^15268$|^19070$|^19090$</field>
<description>Hit</description>
</rule>
</group>
What logs are you testing to get those results ?
As windows events come in a particular format, it can be that they are taken by another rule which might be silenced.
Windows events rules are defined in
0590-win-system_rules.xml
This is in the default ruleset on your manager in /var/ossec/ruleset/rules/0590-win-system_rules.xml
and here is a direct link https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0590-win-system_rules.xml
So we need to see which rules applies to those events and call it with the if_sid tag in your custom rule, so it is triggered.
Here is some useful documentation on windows events:
A way to determine the parent rule is enabling archives and check the incoming events (the windows event you are looking for should be triggered when this is enabled)
For that follow the next procedure:
-Edit /var/ossec/etc/ossec.conf , and set logall_json to yes
-Restart Wazuh Manager, systemctl restart wazuh-manager
-Once the service is back up, review the /var/ossec/logs/archives/archives.json , to check whether the incoming events
-Once the service is back up, review the /var/ossec/logs/archives/archives.json , to check whether the incoming events
You can do: tail -f /var/ossec/logs/archives/archives.json to see the incoming events and grep that same command to filter for what you are looking for.
-Check for events that match what you are looking for, you can grep by the eventID number you are trying to filter.
-With this you will be able to see if events matching your logs are arriving and get more information on what alert they are triggering.
-Once you finish this tests set <logall_json> back to no and restart the wazuh-manager again, as archives.json can get big really soon.
-Once you finish this tests set <logall_json> back to no and restart the wazuh-manager again, as archives.json can get big really soon.
Once you know your parent rule ID, you customer rule will look similar to this one
<group name="windows,">
<rule id="100001" level="10">
<rule id="100001" level="10">
<if_sid>RULE_NUMBER</if_sid>
<field name="win.system.eventID">^15268$|^19070$|^19090$</field>
<description>Hit</description>
</rule>
</group>
Replacing RULE_NUMBER with the parent rule that your event is triggering.
Let me know if this helps
Regards!
Reply all
Reply to author
Forward
0 new messages