Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for "Windows Filtering Platform (WFP)" #184

Closed
maxverro opened this issue Sep 4, 2018 · 2 comments
Closed

Add support for "Windows Filtering Platform (WFP)" #184

maxverro opened this issue Sep 4, 2018 · 2 comments

Comments

@maxverro
Copy link

maxverro commented Sep 4, 2018

WFP Events provide auditing of firewall and IPsec related events. They are stored in the security log.

Full documentation available https://docs.microsoft.com/en-us/windows/desktop/fwp/auditing-and-logging.

At the moment they are being handled by the generic decoder. Most of the fields are not extracted.

@timestamp   September 4th 2018, 08:42:01.678
t _id   jQ-apGUBOnWpbfa8pgdW
t _index   wazuh-alerts-3.x-2018.09.04
# _score   -
t _type   wazuh
t agent.id   068
t agent.ip   10.3.1.136
t agent.name   agent.name
t cluster.name   wazuh
t cluster.node   cluster.node
t data.data   Microsoft-Windows-Security-Auditing
t data.dstuser   (no user)
t data.id   5157
t data.status   AUDIT_FAILURE
t data.system_name   SXX_W00_QWER_1
t data.type   Security
t decoder.name   windows
t decoder.parent   windows
t full_log   2018 Sep 04 08:41:58 WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: SXX_W00_QWER_1: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.3.1.136 Source Port: 5 Destination Address: 10.3.1.100 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 66452 Layer Name: Receive/Accept Layer Run-Time ID: 44
t id   1536064921.562886
t location   WinEvtLog
t manager.name   manager.name
t predecoder.program_name   WinEvtLog
t predecoder.timestamp   2018 Sep 04 08:41:58
t rule.description   Windows audit failure event.
# rule.firedtimes   5,714
t rule.gdpr   IV_35.7.d
t rule.groups   windows
t rule.id   18105
# rule.level   4
rule.mail   false
t rule.pci_dss   10.6.1
t source   /var/ossec/logs/alerts/alerts.json
@elwali10
Copy link
Member

Hello @maxverro

Thanks fro reporting that, as you can see below i'm extracting more fields :


2018 Sep 04 08:41:58 WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: SXX_W00_QWER_1: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.3.1.136 Source Port: 5 Destination Address: 10.3.1.100 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 66452 Layer Name: Receive/Accept Layer Run-Time ID: 44


**Phase 1: Completed pre-decoding.
       full event: '2018 Sep 04 08:41:58 WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: SXX_W00_QWER_1: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.3.1.136 Source Port: 5 Destination Address: 10.3.1.100 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 66452 Layer Name: Receive/Accept Layer Run-Time ID: 44'
       timestamp: '2018 Sep 04 08:41:58'
       hostname: 'localhost'
       program_name: 'WinEvtLog'
       log: 'Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: SXX_W00_QWER_1: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.3.1.136 Source Port: 5 Destination Address: 10.3.1.100 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 66452 Layer Name: Receive/Accept Layer Run-Time ID: 44'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Security'
       status: 'AUDIT_FAILURE'
       id: '5157'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: '(no user)'
       system_name: 'SXX_W00_QWER_1'
       process_id: '4'
       Application_Name: 'System'
       direction: 'Inbound'
       srcip: '10.3.1.136'
       srcport: '5'
       dstip: '10.3.1.100'
       dstport: '1'
       protocol: '1'
       filtre_ID: '66452'
       Layer_Name: 'Receive/Accept'
       Layer_ID: '44'

**Phase 3: Completed filtering (rules).
       Rule id: '18105'
       Level: '4'
       Description: 'Windows audit failure event.'
**Alert to be generated.

I will make sure to include this change in a PR.

I will close the issue for the moment, Feel free to re-open it if you judge any more fields should be extracted or any enhancement.

regards,
Wali.k

elwali10 added a commit that referenced this issue Jan 31, 2019
@elwali10
Support Windows Filtering Platform (WFP) logs
6620750 
This PR related to this issue #184, tend to cover WFP logs by the windows Decoder
@elwali10 elwali10 mentioned this issue Jan 31, 2019
Closed
@maxverro
Copy link
Author

maxverro commented Feb 1, 2019

Hi @elwali10, thanks for the PR. I'll pull the change and test the decoder within the next few days. But it looks good to me.

Just out of curiosity do you know if Wazuh plans to respect the Elastic Common Schema (which is still in beta). It would be really nice if we could correlate Wazuh alerts with other logs using those common. field set.

K-Embee pushed a commit that referenced this issue Apr 7, 2020
@elwali10 @K-Embee
Support Windows Filtering Platform (WFP) logs
a4da2e7 
This PR related to this issue #184, tend to cover WFP logs by the windows Decoder
This was referenced Apr 7, 2020
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxverro @elwali10