Sysmon rules issue

[ad...@neuralearth.io]

Hello,

I am using the latest rules and decoders. Messages from Sysmon in windows are not triggering any rules. I ran the windows agent in debug and captured a sent message and sent that message through logtest.

**Phase 1: Completed pre-decoding.

       full event: '{"type":"process","ID":2140617144,"timestamp":"2019/03/18 19:46:55","process":{"cmd":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","stime":0,"name":"WmiPrvSE.exe","size":3252224,"ppid":8,"priority":8,"pid":12092,"session":0,"nlwp":10,"utime":0,"vm_size":13557760}}'

       timestamp: '(null)'

       hostname: 'wazuh'

       program_name: '(null)'

       log: '{"type":"process","ID":2140617144,"timestamp":"2019/03/18 19:46:55","process":{"cmd":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","stime":0,"name":"WmiPrvSE.exe","size":3252224,"ppid":8,"priority":8,"pid":12092,"session":0,"nlwp":10,"utime":0,"vm_size":13557760}}'

**Phase 2: Completed decoding.

       decoder: 'json'

       type: 'process'

       ID: '2140617144'

       timestamp: '2019/03/18 19:46:55'

       process.cmd: 'C:\Windows\System32\wbem\WmiPrvSE.exe'

       process.stime: '0'

       process.name: 'WmiPrvSE.exe'

       process.size: '3252224'

       process.ppid: '8'

       process.priority: '8'

       process.pid: '12092'

       process.session: '0'

       process.nlwp: '10'

       process.utime: '0'

       process.vm_size: '13557760'

The agent config is as follows

    <localfile>

      <location>Microsoft-Windows-Sysmon/Operational</location>

      <log_format>eventchannel</log_format>

    </localfile>

But it does not seem to be matching the rules for sysmon. And I cannot get any rules to match at all. 

[Chema Martinez]

Hi,

The event you have caught from the agent is related to the inventory of running processes, not to Sysmon events. That is the reason it is not matching any Sysmon rule.

In addition, Sysmon rules are not available for the eventchannel format until Wazuh v3.9.0 (which will be released soon), so for the moment, I suggest you change the log_format option to eventlog. Wazuh v3.9.0 will include a full rework of Windows rules to make easier that rules to be understood and improve their capabilities. Here you can track the related developments:

- Sysmon rules for the eventchannel format: https://github.com/wazuh/wazuh-ruleset/pull/285

- Windows rules rework: https://github.com/wazuh/wazuh-ruleset/issues/324 and https://github.com/wazuh/wazuh-ruleset/pull/325

I hope it can help, don't hesitate to reach us for further doubts.

Best regards,

Chema.

Chema Martinez IT Security Engineer  The Open Source Security Platform

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d578ec3-6280-4e80-ab8f-1659146ca478%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ad...@neuralearth.io]

I tested the change you recommended and I am not getting any logs from Sysmon in my debug output. Additionally, the website says 

Reading events from Windows Event Channel

You can additionally monitor specific Windows event channels. The location is the name of the event channel. This is the only way to monitor the Applications and Services logs.

That eventchannel is the only way to read events from an application log such as Sysmon. 

I have verified Sysmon is installed correctly and is producing events. 

[Chema Martinez]

Hi,

Sorry for the late response.

Which version of Wazuh are you using? For Wazuh v3.8.0, the way of collecting Windows events changed at all. However, after that, we noticed Sysmon rules weren't adapted to the new format. This has been already fixed and will be included in Wazuh v3.9.0, which will be released soon.

Here, you can see the related rules: https://github.com/wazuh/wazuh-ruleset/pull/285

Meanwhile, I would recommend you to collect Sysmon events in eventlog format instead of eventchannel. that could be done as follows:

<localfile>

  <location>Microsoft-Windows-Sysmon/Operational</location>

  <log_format>eventlog</log_format>

</localfile>

I hope it helps, let us know if your issue persists or have any other doubts.

Best regards,

Chema.

Chema Martinez IT Security Engineer  The Open Source Security Platform

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/829fa7d5-d3e6-4d9e-8302-59123786f941%40googlegroups.com.