Can't get Stage 3 rule to work for windows_eventchannel
209 views
Skip to first unread message
Michael Doe
Dec 24, 2023, 12:16:30 AM12/24/23
to Wazuh | Mailing List
I am looking to capture Windows Defender Attack surface (ASR) events into Wazuh, these are inside the Microsoft-Windows-Windows Defender/Operational channel.
I understand that this channel is already supported out of box with these.
<rule id="60000" level="0">
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
<rule id="60005" level="0">
<if_sid>60000</if_sid>
<field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational$</field>
<options>no_full_log</options>
<description>Group of Windows rules for the system channel.</description>
</rule>
I can confirm that the logs I need are being sent to Wazuh, I captured them below using <logall_json>no</logall_json>
{"timestamp":"2023-12-22T12:51:39.647-0800","agent":{"id":"001","name":"MYHOST123","ip":"172.16.255.255"},"manager":{"name":"XXX-Sentinel"},"id":"1703278299.2068343294","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"1122\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-12-22T20:51:38.6525714Z\",\"eventRecordID\":\"61283\",\"processID\":\"4100\",\"threadID\":\"23892\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"MYHOST123.local.domain.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\\r\\n For more information please contact your IT administrator.\\r\\n \\tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\r\\n \\tDetection time: 2023-12-22T20:51:38.652Z\\r\\n \\tUser: NT AUTHORITY\\\\SYSTEM\\r\\n \\tPath: C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\r\\n \\tProcess Name: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n \\tTarget Commandline: \\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S\\r\\n \\tParent Commandline: \\r\\n \\tInvolved File: \\r\\n \\tInheritance Flags: 0x00000000\\r\\n \\tSecurity intelligence Version: 1.403.936.0\\r\\n \\tEngine Version: 1.1.23110.2\\r\\n \\tProduct Version: 4.18.23110.3\\r\\n\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.23110.3\",\"iD\":\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\",\"detection Time\":\"2023-12-22T20:51:38.652Z\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"path\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\",\"process Name\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\",\"security intelligence Version\":\"1.403.936.0\",\"engine Version\":\"1.1.23110.2\",\"ruleType\":\"ENT\\\\\\\\ConsR\",\"target Commandline\":\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\\\\\\\" S\",\"inhertiance Flags\":\"0x00000000\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}},"location":"EventChannel"}
I was going to create custom rules to capture these, the rule I came up with is below.
<group name="windows,windows_defender,">
<rule id="100003" level="5">
<if_sid>60005</if_sid>
<field name="win.system.eventID">^1122$</field>
<description>Microsoft Defender Exploit Guard audited an operation.</description>
<options>no_full_log</options>
</rule>
</group>
When I test using the ruleset test interface, I don't get Phase 3.
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-12-22T12:51:39.647-0800","agent":{"id":"001","name":"MYHOST123","ip":"172.16.255.255"},"manager":{"name":"XXX-Sentinel"},"id":"1703278299.2068343294","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"1122\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-12-22T20:51:38.6525714Z\",\"eventRecordID\":\"61283\",\"processID\":\"4100\",\"threadID\":\"23892\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"MYHOST123.local.domain.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\\r\\n For more information please contact your IT administrator.\\r\\n \\tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\r\\n \\tDetection time: 2023-12-22T20:51:38.652Z\\r\\n \\tUser: NT AUTHORITY\\\\SYSTEM\\r\\n \\tPath: C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\r\\n \\tProcess Name: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n \\tTarget Commandline: \\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S\\r\\n \\tParent Commandline: \\r\\n \\tInvolved File: \\r\\n \\tInheritance Flags: 0x00000000\\r\\n \\tSecurity intelligence Version: 1.403.936.0\\r\\n \\tEngine Version: 1.1.23110.2\\r\\n \\tProduct Version: 4.18.23110.3\\r\\n\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.23110.3\",\"iD\":\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\",\"detection Time\":\"2023-12-22T20:51:38.652Z\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"path\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\",\"process Name\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\",\"security intelligence Version\":\"1.403.936.0\",\"engine Version\":\"1.1.23110.2\",\"ruleType\":\"ENT\\\\\\\\ConsR\",\"target Commandline\":\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\\\\\\\" S\",\"inhertiance Flags\":\"0x00000000\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}},"location":"EventChannel"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '001'
agent.ip: '172.16.255.255'
agent.name: 'MYHOST123'
data.win.eventdata.detection Time: '2023-12-22T20:51:38.652Z'
data.win.eventdata.engine Version: '1.1.23110.2'
data.win.eventdata.iD: '9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2'
data.win.eventdata.inhertiance Flags: '0x00000000'
data.win.eventdata.path: 'C:\\Program Files (x86)\\VX\\VXService.exe'
data.win.eventdata.process Name: 'C:\\Windows\\System32\\lsass.exe'
data.win.eventdata.product Name: 'Microsoft Defender Antivirus'
data.win.eventdata.product Version: '4.18.23110.3'
data.win.eventdata.ruleType: 'ENT\\ConsR'
data.win.eventdata.security intelligence Version: '1.403.936.0'
data.win.eventdata.target Commandline: '\"C:\\Program Files (x86)\\VX\\VXService.exe\" S'
data.win.eventdata.user: 'NT AUTHORITY\\SYSTEM'
data.win.system.channel: 'Microsoft-Windows-Windows Defender/Operational'
data.win.system.computer: 'MYHOST123.local.domain.com'
data.win.system.eventID: '1122'
data.win.system.eventRecordID: '61283'
data.win.system.keywords: '0x8000000000000000'
data.win.system.level: '4'
data.win.system.message: '"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-12-22T20:51:38.652Z
User: NT AUTHORITY\SYSTEM
Path: C:\Program Files (x86)\VX\VXService.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: "C:\Program Files (x86)\VX\VXService.exe" S
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.403.936.0
Engine Version: 1.1.23110.2
Product Version: 4.18.23110.3
"'
data.win.system.opcode: '0'
data.win.system.processID: '4100'
data.win.system.providerGuid: '{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'
data.win.system.providerName: 'Microsoft-Windows-Windows Defender'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2023-12-22T20:51:38.6525714Z'
data.win.system.task: '0'
data.win.system.threadID: '23892'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}}'
id: '1703278299.2068343294'
location: 'EventChannel'
manager.name: 'XXX-Sentinel'
timestamp: '2023-12-22T12:51:39.647-0800'
I am pretty new to Wazuh, and have read a few posts around the rule test not working with windows_eventdata json, but all gitub links lead to issues that were closed/resolved, so it sounds like it should be supported.
I understand that this channel is already supported out of box with these.
<rule id="60000" level="0">
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
<rule id="60005" level="0">
<if_sid>60000</if_sid>
<field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational$</field>
<options>no_full_log</options>
<description>Group of Windows rules for the system channel.</description>
</rule>
I can confirm that the logs I need are being sent to Wazuh, I captured them below using <logall_json>no</logall_json>
{"timestamp":"2023-12-22T12:51:39.647-0800","agent":{"id":"001","name":"MYHOST123","ip":"172.16.255.255"},"manager":{"name":"XXX-Sentinel"},"id":"1703278299.2068343294","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"1122\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-12-22T20:51:38.6525714Z\",\"eventRecordID\":\"61283\",\"processID\":\"4100\",\"threadID\":\"23892\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"MYHOST123.local.domain.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\\r\\n For more information please contact your IT administrator.\\r\\n \\tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\r\\n \\tDetection time: 2023-12-22T20:51:38.652Z\\r\\n \\tUser: NT AUTHORITY\\\\SYSTEM\\r\\n \\tPath: C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\r\\n \\tProcess Name: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n \\tTarget Commandline: \\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S\\r\\n \\tParent Commandline: \\r\\n \\tInvolved File: \\r\\n \\tInheritance Flags: 0x00000000\\r\\n \\tSecurity intelligence Version: 1.403.936.0\\r\\n \\tEngine Version: 1.1.23110.2\\r\\n \\tProduct Version: 4.18.23110.3\\r\\n\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.23110.3\",\"iD\":\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\",\"detection Time\":\"2023-12-22T20:51:38.652Z\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"path\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\",\"process Name\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\",\"security intelligence Version\":\"1.403.936.0\",\"engine Version\":\"1.1.23110.2\",\"ruleType\":\"ENT\\\\\\\\ConsR\",\"target Commandline\":\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\\\\\\\" S\",\"inhertiance Flags\":\"0x00000000\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}},"location":"EventChannel"}
I was going to create custom rules to capture these, the rule I came up with is below.
<group name="windows,windows_defender,">
<rule id="100003" level="5">
<if_sid>60005</if_sid>
<field name="win.system.eventID">^1122$</field>
<description>Microsoft Defender Exploit Guard audited an operation.</description>
<options>no_full_log</options>
</rule>
</group>
When I test using the ruleset test interface, I don't get Phase 3.
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-12-22T12:51:39.647-0800","agent":{"id":"001","name":"MYHOST123","ip":"172.16.255.255"},"manager":{"name":"XXX-Sentinel"},"id":"1703278299.2068343294","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"1122\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-12-22T20:51:38.6525714Z\",\"eventRecordID\":\"61283\",\"processID\":\"4100\",\"threadID\":\"23892\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"MYHOST123.local.domain.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\\r\\n For more information please contact your IT administrator.\\r\\n \\tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\r\\n \\tDetection time: 2023-12-22T20:51:38.652Z\\r\\n \\tUser: NT AUTHORITY\\\\SYSTEM\\r\\n \\tPath: C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\r\\n \\tProcess Name: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n \\tTarget Commandline: \\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S\\r\\n \\tParent Commandline: \\r\\n \\tInvolved File: \\r\\n \\tInheritance Flags: 0x00000000\\r\\n \\tSecurity intelligence Version: 1.403.936.0\\r\\n \\tEngine Version: 1.1.23110.2\\r\\n \\tProduct Version: 4.18.23110.3\\r\\n\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.23110.3\",\"iD\":\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\",\"detection Time\":\"2023-12-22T20:51:38.652Z\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"path\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\",\"process Name\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\",\"security intelligence Version\":\"1.403.936.0\",\"engine Version\":\"1.1.23110.2\",\"ruleType\":\"ENT\\\\\\\\ConsR\",\"target Commandline\":\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\VX\\\\\\\\VXService.exe\\\\\\\" S\",\"inhertiance Flags\":\"0x00000000\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}},"location":"EventChannel"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '001'
agent.ip: '172.16.255.255'
agent.name: 'MYHOST123'
data.win.eventdata.detection Time: '2023-12-22T20:51:38.652Z'
data.win.eventdata.engine Version: '1.1.23110.2'
data.win.eventdata.iD: '9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2'
data.win.eventdata.inhertiance Flags: '0x00000000'
data.win.eventdata.path: 'C:\\Program Files (x86)\\VX\\VXService.exe'
data.win.eventdata.process Name: 'C:\\Windows\\System32\\lsass.exe'
data.win.eventdata.product Name: 'Microsoft Defender Antivirus'
data.win.eventdata.product Version: '4.18.23110.3'
data.win.eventdata.ruleType: 'ENT\\ConsR'
data.win.eventdata.security intelligence Version: '1.403.936.0'
data.win.eventdata.target Commandline: '\"C:\\Program Files (x86)\\VX\\VXService.exe\" S'
data.win.eventdata.user: 'NT AUTHORITY\\SYSTEM'
data.win.system.channel: 'Microsoft-Windows-Windows Defender/Operational'
data.win.system.computer: 'MYHOST123.local.domain.com'
data.win.system.eventID: '1122'
data.win.system.eventRecordID: '61283'
data.win.system.keywords: '0x8000000000000000'
data.win.system.level: '4'
data.win.system.message: '"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-12-22T20:51:38.652Z
User: NT AUTHORITY\SYSTEM
Path: C:\Program Files (x86)\VX\VXService.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: "C:\Program Files (x86)\VX\VXService.exe" S
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.403.936.0
Engine Version: 1.1.23110.2
Product Version: 4.18.23110.3
"'
data.win.system.opcode: '0'
data.win.system.processID: '4100'
data.win.system.providerGuid: '{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'
data.win.system.providerName: 'Microsoft-Windows-Windows Defender'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2023-12-22T20:51:38.6525714Z'
data.win.system.task: '0'
data.win.system.threadID: '23892'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"1122","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-12-22T20:51:38.6525714Z","eventRecordID":"61283","processID":"4100","threadID":"23892","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"MYHOST123.local.domain.com","severityValue":"INFORMATION","message":"\"Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\r\n \tDetection time: 2023-12-22T20:51:38.652Z\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tPath: C:\\Program Files (x86)\\VX\\VXService.exe\r\n \tProcess Name: C:\\Windows\\System32\\lsass.exe\r\n \tTarget Commandline: \"C:\\Program Files (x86)\\VX\\VXService.exe\" S\r\n \tParent Commandline: \r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.403.936.0\r\n \tEngine Version: 1.1.23110.2\r\n \tProduct Version: 4.18.23110.3\r\n\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.23110.3","iD":"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2","detection Time":"2023-12-22T20:51:38.652Z","user":"NT AUTHORITY\\\\SYSTEM","path":"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe","process Name":"C:\\\\Windows\\\\System32\\\\lsass.exe","security intelligence Version":"1.403.936.0","engine Version":"1.1.23110.2","ruleType":"ENT\\\\ConsR","target Commandline":"\\\"C:\\\\Program Files (x86)\\\\VX\\\\VXService.exe\\\" S","inhertiance Flags":"0x00000000"}}}'
id: '1703278299.2068343294'
location: 'EventChannel'
manager.name: 'XXX-Sentinel'
timestamp: '2023-12-22T12:51:39.647-0800'
I am pretty new to Wazuh, and have read a few posts around the rule test not working with windows_eventdata json, but all gitub links lead to issues that were closed/resolved, so it sounds like it should be supported.
Is anyone able to help me out, what am I doing wrong here? Using latest Wazuh 4.7.1.
Michael Doe
Dec 24, 2023, 3:50:18 PM12/24/23
to Wazuh | Mailing List
This does appear to be working actually, I can find the alerts in Wazuh.
However, I was not able to test Stage 3 using the logtest tool, hence I was thinking something was wrong with my rule when in fact it was working fine.
I tried the workaround described in Windows Wazuh Agent not collecting some logs - EventChannel - Windows Server 2016 · Issue #7651 · wazuh/wazuh (github.com) however, I was never able to get Stage 3 to show up in the logtest tool.
Julio Gasco
Dec 26, 2023, 8:10:12 AM12/26/23
to Wazuh | Mailing List
Hi Michael,
I am glad you were able to have the alerts working.
The logtest is not working as you are ingesting a JSON, and it will try to work with decoded_as JSON decoders.
Eventchannel come through a different path so that is why logtest will not work.
You have 2 ways of testing EventChannel then:
-you can test triggering the Event on your Windows agent.
- You can create child rules that work with json instead of eventchannel in the decoded_as field.
For example you can (temporarily) overwrite the rules with decoded_as JSON instead of <decoded_as>windows_eventchannel</decoded_as>
You will need to set this back once you have tested the JSON with the rules.
Let me know if this helps,
Regards!
Reply all
Reply to author
Forward
0 new messages