Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix provider name for Windows Eventlog #662

Merged
merged 1 commit into from
May 29, 2020
Merged

Fix provider name for Windows Eventlog #662

merged 1 commit into from
May 29, 2020
+33 −3

Conversation

danimegar
Copy link
Contributor

@danimegar danimegar commented May 18, 2020
edited
Loading

Related issue
#635

Description

The provider name was fixed so that Windows Eventlog logs match with the Wazuh rules.

Tests

Tests done using Windows server 2016

Events

event 1102 -> 2020 May 27 10:48:19 (Windows2016) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"1102","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x4020000000000000","systemTime":"2020-05-27T10:48:20.876350000Z","eventRecordID":"14391","processID":"380","threadID":"700","channel":"Security","computer":"win2016-agente12","severityValue":"INFORMATION","message":"\"The audit log was cleared.\r\nSubject:\r\n\tSecurity ID:\tS-1-5-21-1126062284-4071522965-664428952-1000\r\n\tAccount Name:\tvagrant\r\n\tDomain Name:\tWIN2016-AGENTE1\r\n\tLogon ID:\t0x2D8E4\""},"logFileCleared":{"subjectUserSid":"S-1-5-21-1126062284-4071522965-664428952-1000","subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","subjectLogonId":"0x2d8e4"}}}


event 104 -> 2020 May 27 10:51:02 (Windows2016) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"104","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-05-27T10:51:03.005077800Z","eventRecordID":"7946","processID":"380","threadID":"696","channel":"System","computer":"win2016-agente12","severityValue":"INFORMATION","message":"\"The Application log file was cleared.\""},"logFileCleared":{"subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","channel":"Application"}}}

Alerts

** Alert 1590576499.387347: - windows,windows_logs,log_clearing_auditlog,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_30.1.g,
2020 May 27 10:48:19 (Windows2016) any->EventChannel
Rule: 63103 (level 5) -> 'The audit log was cleared'
{"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"1102","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x4020000000000000","systemTime":"2020-05-27T10:48:20.876350000Z","eventRecordID":"14391","processID":"380","threadID":"700","channel":"Security","computer":"win2016-agente12","severityValue":"INFORMATION","message":""The audit log was cleared.\r\nSubject:\r\n\tSecurity ID:\tS-1-5-21-1126062284-4071522965-664428952-1000\r\n\tAccount Name:\tvagrant\r\n\tDomain Name:\tWIN2016-AGENTE1\r\n\tLogon ID:\t0x2D8E4""},"logFileCleared":{"subjectUserSid":"S-1-5-21-1126062284-4071522965-664428952-1000","subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","subjectLogonId":"0x2d8e4"}}}

** Alert 1590576662.391075: - windows,windows_logs,log_clearing,gpg13_10.1,gdpr_II_5.1.f,
2020 May 27 10:51:02 (Windows2016) any->EventChannel
Rule: 63104 (level 5) -> 'A Windows log file was cleared'
{"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","eventID":"104","version":"0","level":"4","task":"104","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-05-27T10:51:03.005077800Z","eventRecordID":"7946","processID":"380","threadID":"696","channel":"System","computer":"win2016-agente12","severityValue":"INFORMATION","message":""The Application log file was cleared.""},"logFileCleared":{"subjectUserName":"vagrant","subjectDomainName":"WIN2016-AGENT1","channel":"Application"}}}

vikman90
vikman90 approved these changes May 29, 2020
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@vikman90 vikman90 merged commit 158bc7f into 3.13 May 29, 2020
@vikman90 vikman90 deleted the 635-fix-win-providername branch May 29, 2020 14:23
@danimegar danimegar mentioned this pull request Jun 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

Assignees
No one assigned
Labels
bug windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danimegar @vikman90