Rule 60007 has incorrect providername

[rtkbkish]

Rule 60007 has the wrong providername and does not match the Eventlog messages.
It tries to match against ^Eventlog$ rather than ^Microsoft-Windows-Eventlog$

<field name="win.system.providerName">^Microsoft-Windows-Eventlog$</field>

[danimegar]

Hi @rtkbkish

Thank you for the information. We will fix it as soon as possible.

Regards,
Daniel

[danimegar]

Hi again @rtkbkish
we were analyzing this issue and we need to get more information to do the fix correctly.
Can you tell me the OS system you are using? Also, I would be grateful if you give a capture of the event.
Thank you.

[rtkbkish]

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
- <System> 
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
<EventID>104</EventID> 
<Version>0</Version> 
<Level>4</Level> 
<Task>104</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8000000000000000</Keywords> 
<TimeCreated SystemTime="2020-04-27T17:09:41.600020900Z" /> 
<EventRecordID>1926</EventRecordID> 
<Correlation /> 
<Execution ProcessID="1080" ThreadID="3760" /> 
<Channel>System</Channel> 
<Computer>win10-4.bacon.local</Computer> 
<Security UserID="S-1-5-21-3515560575-3660271003-3619130803-1141" /> 
</System> 
- <UserData> 
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"> 
<SubjectUserName>bkish</SubjectUserName> 
<SubjectDomainName>BACON</SubjectDomainName> 
<Channel>System</Channel> 
<BackupPath /> 
</LogFileCleared> 
</UserData> 
</Event>

[rtkbkish]

Seen this on Windows 10, Windows Server 2012. Should be consistent with all Windows OSes using EventChannel

[danimegar]

Hello @rtkbkish
I created a Pull Request (#662) that has already been merged to Wazuh 3.13 (next release). Event 104 worked for me on Windows server 2016:

event
2020 May 27 10:51:02 (Windows2016) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"104","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-05-27T10:51:03.005077800Z","eventRecordID":"7946","processID":"380","threadID":"696","channel":"System","computer":"win2016-agente12","severityValue":"INFORMATION","message":"\"The Application log file was cleared.\""},"logFileCleared":{"subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","channel":"Application"}}}

The alert:

** Alert 1590576662.391075: - windows,windows_logs,log_clearing,gpg13_10.1,gdpr_II_5.1.f,
2020 May 27 10:51:02 (Windows2016) any->EventChannel
Rule: 63104 (level 5) -> 'A Windows log file was cleared'
{"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"104","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-05-27T10:51:03.005077800Z","eventRecordID":"7946","processID":"380","threadID":"696","channel":"System","computer":"win2016-agente12","severityValue":"INFORMATION","message":""The Application log file was cleared.""},"logFileCleared":{"subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","channel":"Application"}}}

Thanks for your input. Please, do not hesitate to share more questions or suggestions for improvement.

Regards,
Daniel.

[danimegar]

Hello,
I am going to close this issue. Please, feel free to reopen it if you need it.