Alert Sysmon
752 views
Skip to first unread message
gustavo rodriguez
Jun 10, 2022, 10:52:01 AM6/10/22
to Wazuh mailing list
good morning community,
I need to change the alert of a specific sysmon event,
Where "data.win.eventdata.image" is: C:\Windows\system32\cleanmgr.exe.
I perform this filter, but it gives me an error.
<group name="sysmon_eid11_detections,">
<rule id="100028" level="6">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.image">^C:\Windows\system32\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<hostname>^VW2k19SAPPRD$|^W2k19BKP$</hostname>
<description>Sysmon - Suspicious Process - svchost.exe</description>
</rule>
</group>
I need to change the alert of a specific sysmon event,
Where "data.win.eventdata.image" is: C:\Windows\system32\cleanmgr.exe.
I perform this filter, but it gives me an error.
<group name="sysmon_eid11_detections,">
<rule id="100028" level="6">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.image">^C:\Windows\system32\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<hostname>^VW2k19SAPPRD$|^W2k19BKP$</hostname>
<description>Sysmon - Suspicious Process - svchost.exe</description>
</rule>
</group>
Luis Daniel Avendaño Larios
Jun 10, 2022, 1:55:01 PM6/10/22
to Wazuh mailing list
Hello!
Thanks for using wazuh!
You can try the following rules:
<field name="win.eventdata.image">^C:\Windows\system32\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
</rule>
<rule id="100029" level="6">
<if_sid>100028</if_sid>
<field name="agent.name">^VW2k19SAPPRD$|^W2k19BKP$</field>
<description>Executable file dropped in folder commonly used by malware on agent $(agent.name).</description>
</rule>
</group>
These are parent-child rules, where we have the parent rule that will match the file C:\Windows\system32\cleanmgr.exe among all the events in the sysmon_event1 group.
Then we will have the daughter rule that will generate the alert for this type of event located in the agents with the names of the agents specified in the <field> field.
You can check our documentation about custom rules in the following links:
Custom Rules
Thanks for using wazuh!
You can try the following rules:
<group name="sysmon_eid11_detections,">
<rule id="100028" level="6">
<if_group>sysmon_event_1</if_group><rule id="100028" level="6">
<field name="win.eventdata.image">^C:\Windows\system32\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<rule id="100029" level="6">
<if_sid>100028</if_sid>
<field name="agent.name">^VW2k19SAPPRD$|^W2k19BKP$</field>
<description>Executable file dropped in folder commonly used by malware on agent $(agent.name).</description>
</rule>
</group>
These are parent-child rules, where we have the parent rule that will match the file C:\Windows\system32\cleanmgr.exe among all the events in the sysmon_event1 group.
Then we will have the daughter rule that will generate the alert for this type of event located in the agents with the names of the agents specified in the <field> field.
You can check our documentation about custom rules in the following links:
Custom Rules
gustavo rodriguez
Jun 10, 2022, 2:15:37 PM6/10/22
to Wazuh mailing list
Hello Luis, thanks for your answer,
When I add the rule you mention, it throws me the following error, copy and paste like this.
When I restart wazuh-manager:
#wazuh-machine:/var/ossec/etc/rules# systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
When I add the rule you mention, it throws me the following error, copy and paste like this.
When I restart wazuh-manager:
#wazuh-machine:/var/ossec/etc/rules# systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
Luis Daniel Avendaño Larios
Jun 14, 2022, 3:04:58 PM6/14/22
to Wazuh mailing list
Hello!
Sorry for the late response.
This problem may have been caused by a duplicate ID in the rules since I used the same ID of the rule that you sent me. You could try changing the ID to my rules or to your rule. And then restart the manager.
In case this rule is not triggered as you wish, can you provide me with the JSON of the alert that was previously generated?
Sorry for the late response.
This problem may have been caused by a duplicate ID in the rules since I used the same ID of the rule that you sent me. You could try changing the ID to my rules or to your rule. And then restart the manager.
In case this rule is not triggered as you wish, can you provide me with the JSON of the alert that was previously generated?
You can find this in modules>security events>events>Filter by rule id or any other field>click alert to expand>click on JSON tab in the alert.
Hope this helps, I remain attentive to your response.
Regards,
Luis Avendaño.
Hope this helps, I remain attentive to your response.
Regards,
Luis Avendaño.
Reply all
Reply to author
Forward
0 new messages