Auditing who-data in Windows
How it works
The who-data monitoring functionality uses the Microsoft Windows audit system to get the information about who made the changes in a monitored directory. These changes produce audit events that are processed by syscheck and reported to the manager. Compatible with systems greater than Windows Vista.
Configuration
To start monitoring in whodata mode, the SACL of the directory to be monitored must be properly configured. Wazuh performs this task automatically when
starting on directories declared with the tag whodata="yes"
in the file ossec.conf
:
<syscheck>
<directories check_all="yes" whodata="yes">C:\Windows\System32\drivers\etc</directories>
</syscheck>
System audit policies also need to be properly configured. This part is also done automatically for most supported Windows systems. If your system is superior to Windows Vista but the audit policies cannot be self-configured, see the guide to configure Local Audit Policies.
Alert fields
The following fields are received in alerts when who-data is enabled:
(Audit) User |
Contains the user ID and name of the user who started the process that modified the monitored file. |
audit.user.id audit.user.name |
|
(Audit) Process id (Audit) Process name |
Contains the ID and name of the process used to modify the monitored file. |
audit.proccess.id audit.proccess.name |
Alert examples
Alert in log format:
** Alert 1531323832.10357533: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,
2018 Jul 11 17:43:52 (vpc-agent-win) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: 'C:\Windows\System32\drivers\etc\hosts'
Size changed from '825' to '857'
Old md5sum was: '76eae1f63f77154db8c9dd884a47e994'
New md5sum is : 'e71b0c5cf0e3a8d1848312f1394e448f'
Old sha1sum was: '9c2abeed447447d072aec2128f296e6d3f1ad21a'
New sha1sum is : '0f89ca73534037c5cf23193d032c93cbf0fc4af4'
Old sha256sum was: 'f8d35672114862f660424d8436d621261279703a65bc8ac3146016d5b023520b'
New sha256sum is : 'b9cc339e89fc5d8890cfb8a47249b3b515f5982d8a7348e2e5eb104aec232c9f'
(Audit) User: 'Administrator (S-1-5-21-3292556202-24657078-706277677-500)'
(Audit) Process id: '1736'
(Audit) Process name: 'C:\Windows\System32\notepad.exe'
What changed:
***** QUEUE\DIFF\LOCAL\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS\state.1531323769
***** QUEUE\DIFF\LOCAL\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS\LAST-ENTRY
10.0.0.211 dns_server
*****
Attributes:
- Size: 857
- Permissions: 100666
- Date: Wed Jul 11 17:43:39 2018
- User: SYSTEM (S-1-5-18)
- MD5: e71b0c5cf0e3a8d1848312f1394e448f
- SHA1: 0f89ca73534037c5cf23193d032c93cbf0fc4af4
- SHA256: b9cc339e89fc5d8890cfb8a47249b3b515f5982d8a7348e2e5eb104aec232c9f
Alert in JSON format:
{
"timestamp":"2018-07-11T17:43:52.914+0200",
"rule":{
"level":7,
"description":"Integrity checksum changed.",
"id":"550",
"firedtimes":24,
"mail":false,
"groups":[
"ossec",
"syscheck"
],
"pci_dss":[
"11.5"
],
"gpg13":[
"4.11"
],
"gdpr":[
"II_5.1.f"
]
},
"agent":{
"id":"005",
"name":"vpc-agent-win"
},
"manager":{
"name":"vpc-wazuh-manager"
},
"id":"1531323832.103575",
"syscheck":{
"path":"C:\\Windows\\System32\\drivers\\etc\\hosts",
"size_before":"825",
"size_after":"857",
"perm_after":"100666",
"uid_after":"S-1-5-18",
"md5_before":"76eae1f63f77154db8c9dd884a47e994",
"md5_after":"e71b0c5cf0e3a8d1848312f1394e448f",
"sha1_before":"9c2abeed447447d072aec2128f296e6d3f1ad21a",
"sha1_after":"0f89ca73534037c5cf23193d032c93cbf0fc4af4",
"sha256_before":"f8d35672114862f660424d8436d621261279703a65bc8ac3146016d5b023520b",
"sha256_after":"b9cc339e89fc5d8890cfb8a47249b3b515f5982d8a7348e2e5eb104aec232c9f",
"uname_after":"SYSTEM",
"mtime_before":"2018-07-11T17:42:29",
"mtime_after":"2018-07-11T17:43:39",
"diff":"What changed:\n***** QUEUE\\DIFF\\LOCAL\\WINDOWS\\SYSTEM32\\DRIVERS\\ETC\\HOSTS\\state.1531323769\r\n***** QUEUE\\DIFF\\LOCAL\\WINDOWS\\SYSTEM32\\DRIVERS\\ETC\\HOSTS\\LAST-ENTRY\r\n 10.0.0.211 dns_server \r\n*****\r\n\r\n",
"event":"modified",
"audit":{
"user":{
"id":"S-1-5-21-3292556202-24657078-706277677-500",
"name":"Administrator"
},
"proccess":{
"id":"1736",
"name":"C:\\Windows\\System32\\notepad.exe"
}
}
},
"decoder":{
"name":"syscheck_integrity_changed"
},
"location":"syscheck"
}