Create Windows custom rules

[Maxim Parpaley]

Hi,

I want to create custom rules for Windows and I'm using <if_group>windows</if_group>.

With some rules, wazuh-manager restart OK but with more rules, wazuh-manager can't restart and it's my ossec.log file.

I realize that with a custom-rule with <if_group>windows</if_group>  total rules enabled is added 1473 and with more custom rule it increase to millions rules enable and it make wazuh-manager can't restart.

I tried with another rule syntax such as: decoded_as, <if_sid>60000,18100</if_sid>, ... but my custom rules not create alert.

Rule example:

<rule id="110005" level="5">
    <if_sid>18100, 60000</if_sid>
    <decoded_as>windows_eventchannel</decoded_as>
    <field name="win.system.providerName">Microsoft-Windows-NetworkProfile</field>
    <field name="win.system.eventID">10000</field>
    <field name="win.eventdata.state">1</field>
    <description>Wifi connected - $(win.eventdata.name)</description>
    <options>no_full_log</options>
</rule>

I create this rule to alert when connect to a wifi.

Please help me with this situation.

Best regards,

[Juan Cabrera]

Hello demaihac888,

Possibly your error is because you are creating circular dependencies in your rules when using if_group(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-group). Be careful when using this label not to include rules that in turn have this label.

On the other hand, I see that you have pasted one of your rules. Does this one not work for you? If you could paste me the log that tries to match that rule I could check what is going on.

To check that this log is getting to the manager, you can look at the file /var/ossec/logs/archives/archives.json. You need to enable this option in the /var/ossec/etc/ossec.conf file:

<ossec_config> <global> <jsonout_output>yes</jsonout_output>. <alerts_log>yes</alerts_log> <logall>yes</logall> <logall_jsonout_output>yes</logall_jsonout_output> . . . </global>

Remember to restart the manager to apply the changes.
Check the file /var/ossec/logs/archives.json to see if you are receiving the logs. This file shows all the logs coming from the agent.

Regards,
Juan Cabrera

​

[Maxim Parpaley]

Hi Juan,

If i use <if_group>windows</if_group> this rule work for me.

<rule id="110005" level="5">

    <if_group>windows</if_group>

    <field name="win.system.providerName">Microsoft-Windows-NetworkProfile</field>
    <field name="win.system.eventID">10000</field>
    <field name="win.eventdata.state">1</field>
    <description>Wifi connected - $(win.eventdata.name)</description>
    <options>no_full_log</options>
</rule>

Log for this rule from archives.log:

{"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"20002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000000000000020","systemTime":"2023-02-09T10:49:13.2802731Z","eventRecordID":"6156","processID":"2560","threadID":"16928","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"NSI Set Category Result\r\n\tProfile GUID: {00c92f6a-f2b5-46f7-8904-b020b38b4c12}\r\n\tInterface GUID: {1e40ab64-ef0c-42cf-8782-1fa9c599276a}\r\n\tNetwork Category: Public\r\n\tIPv4 Error Code: 0\r\n\tIPv6 Error Code: 0\r\n\tContext: 3906\r\n\""},"eventdata":{"profileGuid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","interfaceGuid":"{1e40ab64-ef0c-42cf-8782-1fa9c599276a}","category":"0","errorCodev4":"0","errorCodev6":"0","context":"3906"}}}
2023 Feb 09 10:49:17 (DESKTOP-VDADAE5) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"10000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000200000000020","systemTime":"2023-02-09T10:49:13.2814429Z","eventRecordID":"6157","processID":"2560","threadID":"16928","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"Network Connected\r\n\tName: TEST\r\n\tDesc: TEST\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n\""},"eventdata":{"name":"TEST","description":"TEST","guid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","type":"0","state":"1","category":"0"}}}

Log for this rule from archives.json:

{"timestamp":"2023-02-09T10:49:17.476+0000","agent":{"id":"010","name":"DESKTOP-VDADAE5","ip":"192.168.15.186"},"manager":{"name":"wazuh.manager"},"id":"1675939757.22786688","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-NetworkProfile\",\"providerGuid\":\"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}\",\"eventID\":\"10000\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x4000200000000020\",\"systemTime\":\"2023-02-09T10:49:13.2814429Z\",\"eventRecordID\":\"6157\",\"processID\":\"2560\",\"threadID\":\"16928\",\"channel\":\"Microsoft-Windows-NetworkProfile/Operational\",\"computer\":\"DESKTOP-VDADAE5\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network Connected\\r\\n\\tName: TEST\\r\\n\\tDesc: TEST\\r\\n\\tType: Unmanaged\\r\\n\\tState: Connected\\r\\n\\tCategory: Public\\r\\n\\\"\"},\"eventdata\":{\"name\":\"TEST\",\"description\":\"TEST\",\"guid\":\"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}\",\"type\":\"0\",\"state\":\"1\",\"category\":\"0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"10000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000200000000020","systemTime":"2023-02-09T10:49:13.2814429Z","eventRecordID":"6157","processID":"2560","threadID":"16928","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"Network Connected\r\n\tName: TEST\r\n\tDesc: TEST\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n\""},"eventdata":{"name":"TEST","description":"TEST","guid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","type":"0","state":"1","category":"0"}}},"location":"EventChannel"}

Alert on my dashboard:

My full log alert for event:

{"timestamp":"2023-02-09T10:29:56.712+0000","rule":{"level":5,"description":"Wifi connected - TEST","id":"110005","firedtimes":4,"mail":false,"groups":["wifi"]},"agent":{"id":"010","name":"DESKTOP-VDADAE5","ip":"192.168.15.186"},"manager":{"name":"wazuh.manager"},"id":"1675938596.22531586","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-NetworkProfile\",\"providerGuid\":\"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}\",\"eventID\":\"10000\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x4000200000000020\",\"systemTime\":\"2023-02-09T10:29:48.0428549Z\",\"eventRecordID\":\"6109\",\"processID\":\"2560\",\"threadID\":\"12332\",\"channel\":\"Microsoft-Windows-NetworkProfile/Operational\",\"computer\":\"DESKTOP-VDADAE5\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network Connected\\r\\n\\tName: TEST\\r\\n\\tDesc: TETS\\r\\n\\tType: Unmanaged\\r\\n\\tState: Connected\\r\\n\\tCategory: Public\\r\\n\\\"\"},\"eventdata\":{\"name\":\"TETS\",\"description\":\"TEST\",\"guid\":\"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}\",\"type\":\"0\",\"state\":\"1\",\"category\":\"0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"10000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000200000000020","systemTime":"2023-02-09T10:29:48.0428549Z","eventRecordID":"6109","processID":"2560","threadID":"12332","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"Network Connected\r\n\tName: TEST\r\n\tDesc: TEST\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n\""},"eventdata":{"name":"TEST","description":"TEST","guid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","type":"0","state":"1","category":"0"}}},"location":"EventChannel"}

Why when i use <if_sid>60000</if_sid> or <decoded_as>windows_evenchannel</decoded_as> not work with rule and how can i create rule for windows_eventchannel log?

I only create custom rule for windows and almost logsource come from Event Viewer with Eventchannel format.

Best Regards,

[Juan Cabrera]

Hello Maxim,

Your rule does not work because it is a child of the `60000` rule. If we check your log in `wazuh-logtest`, we can see which rule your custom rule must be a child:

````

# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.4.0
Type one log per line

{"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"10000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000200000000020","systemTime":"2023-02-09T10:49:13.2814429Z","eventRecordID":"6157","processID":"2560","threadID":"16928","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"Network Connected\r\n\tName: TEST\r\n\tDesc: TEST\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n\""},"eventdata":{"name":"TEST","description":"TEST","guid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","type":"0","state":"1","category":"0"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.category: '0'
    win.eventdata.description: 'TEST'
    win.eventdata.guid: '{00c92f6a-f2b5-46f7-8904-b020b38b4c12}'
    win.eventdata.name: 'TEST'
    win.eventdata.state: '1'
    win.eventdata.type: '0'
    win.system.channel: 'Microsoft-Windows-NetworkProfile/Operational'
    win.system.computer: 'DESKTOP-VDADAE5'
    win.system.eventID: '10000'
    win.system.eventRecordID: '6157'
    win.system.keywords: '0x4000200000000020'
    win.system.level: '4'
    win.system.message: '"Network Connected
    Name: TEST
    Desc: TEST
    Type: Unmanaged
    State: Connected
    Category: Public
"'
    win.system.opcode: '0'
    win.system.processID: '2560'
    win.system.providerGuid: '{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}'
    win.system.providerName: 'Microsoft-Windows-NetworkProfile'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2023-02-09T10:49:13.2814429Z'
    win.system.task: '0'
    win.system.threadID: '16928'
    win.system.version: '0'

**Phase 3: Completed filtering (rules).
    id: '60009'
    level: '0'
    description: 'Windows informational event.'
    groups: '['windows']'
    firedtimes: '1'
    mail: 'False'

```

We can check that the log matches with the `60009` rule. If we make this change, the rule will look like this:

```

<rule id="110005" level="5">

    <if_group>windows</if_group>
    <field name="win.system.providerName">Microsoft-Windows-NetworkProfile</field>
    <field name="win.system.eventID">10000</field>
    <field name="win.eventdata.state">1</field>
    <description>Wifi connected - $(win.eventdata.name)</description>
    <options>no_full_log</options>
</rule>

```

We can check how now if we generate an alert with that rule:

```

# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.4.0
Type one log per line

{"win":{"system":{"providerName":"Microsoft-Windows-NetworkProfile","providerGuid":"{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}","eventID":"10000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000200000000020","systemTime":"2023-02-09T10:49:13.2814429Z","eventRecordID":"6157","processID":"2560","threadID":"16928","channel":"Microsoft-Windows-NetworkProfile/Operational","computer":"DESKTOP-VDADAE5","severityValue":"INFORMATION","message":"\"Network Connected\r\n\tName: TEST\r\n\tDesc: TEST\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n\""},"eventdata":{"name":"TEST","description":"TEST","guid":"{00c92f6a-f2b5-46f7-8904-b020b38b4c12}","type":"0","state":"1","category":"0"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.category: '0'
    win.eventdata.description: 'TEST'
    win.eventdata.guid: '{00c92f6a-f2b5-46f7-8904-b020b38b4c12}'
    win.eventdata.name: 'TEST'
    win.eventdata.state: '1'
    win.eventdata.type: '0'
    win.system.channel: 'Microsoft-Windows-NetworkProfile/Operational'
    win.system.computer: 'DESKTOP-VDADAE5'
    win.system.eventID: '10000'
    win.system.eventRecordID: '6157'
    win.system.keywords: '0x4000200000000020'
    win.system.level: '4'
    win.system.message: '"Network Connected
    Name: TEST
    Desc: TEST
    Type: Unmanaged
    State: Connected
    Category: Public
"'
    win.system.opcode: '0'
    win.system.processID: '2560'
    win.system.providerGuid: '{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}'
    win.system.providerName: 'Microsoft-Windows-NetworkProfile'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2023-02-09T10:49:13.2814429Z'
    win.system.task: '0'
    win.system.threadID: '16928'
    win.system.version: '0'

**Phase 3: Completed filtering (rules).
    id: '110005'
    level: '5'
    description: 'Wifi connected - TEST'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

```

Regards,
Juan Cabrera

[Maxim Parpaley]

Hi Juan,

Thanks for helping,

Regards,