File Monitoring not working for multiple files
52 views
Skip to first unread message
malimbar
Mar 11, 2024, 5:57:26 AM3/11/24
to Wazuh | Mailing List
Hi, i have created 4 files in different locations on a host machine, audit policy is set for each and they are generating 4663 audit events in Event Viewer, i removed the EventId != 4663 in ossec.conf on the host.
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100111" level="16" ignore="60">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Users\\\\Administrator\\\\Appdata\\\\Roaming\\\\HRPayRoll\\\\config.xml</field>
<description>Object access of config.xml</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100112" level="16" ignore="60">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Windows\\\\System32\\\\SwiftAccess.ps1</field>
<description>Object access of SwiftAccess.ps1</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100113" level="16" ignore="60">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\ProgramData\\\\SwiftTransaction\\\\SwiftRunCheck.vbs</field>
<description>Object access of SwiftRunCheck.vbs</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100115" level="16" ignore="60">
<if_sid>60106</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Users\\\\Administrator\\\\Appdata\\\\Local\\\\Temp\\\\HRPayrollBudget2024.txt</field>
<description>Object access of HRPayrollBudget2024.txt</description>
<options>no_full_log</options>
</rule>
I created the rules in local_rules for each (see below) but only the first rule is generating alerts on the wazuh dash (100111). Can anyone assist me in troubleshooting why the other 3 files are not generating alerts on wazuh?
<group name="windows, windows_security,">
<rule id="100111" level="16" ignore="60">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Users\\\\Administrator\\\\Appdata\\\\Roaming\\\\HRPayRoll\\\\config.xml</field>
<description>Object access of config.xml</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100112" level="16" ignore="60">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Windows\\\\System32\\\\SwiftAccess.ps1</field>
<description>Object access of SwiftAccess.ps1</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100113" level="16" ignore="60">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\ProgramData\\\\SwiftTransaction\\\\SwiftRunCheck.vbs</field>
<description>Object access of SwiftRunCheck.vbs</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Local rules -->
<group name="windows, windows_security,">
<rule id="100115" level="16" ignore="60">
<if_sid>60106</if_sid>
<field name="win.system.eventID">^4663$</field>
<field name="win.eventdata.objectName">C:\\\\Users\\\\Administrator\\\\Appdata\\\\Local\\\\Temp\\\\HRPayrollBudget2024.txt</field>
<description>Object access of HRPayrollBudget2024.txt</description>
<options>no_full_log</options>
</rule>
</group>
malimbar
Mar 11, 2024, 7:57:08 AM3/11/24
to Wazuh | Mailing List
NVM i figured it out...
Found the issue with my if_sid in 0580-win-security_rules.xml
and i sorted out the grouping :)
Thx for reading,.
Lucas Esteban Pedrosa
Mar 13, 2024, 9:38:59 AM3/13/24
to Wazuh | Mailing List
Hello,
Good to read that you found it. Yes, the event must have been coming through that parent rule, so your if_sid for the other rules would be blocking it.
Regards,
Lucas
Lucas
Reply all
Reply to author
Forward
0 new messages