How to view windows event IDs forwarded via the elastic agent and how to control which event IDs are sent to Security Onion

[cslewis2-Devnet]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

16

RAM

100G

Storage for /

Lots

Storage for /nsm

Lots

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Running sudo salt-call state.highstate give a message
[INFO ] caching directory '_grains" for environmental 'base'
local
Data failed to compile:
NO entries that I can see tied to this issue in the opt/so/log directory

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cslewis2-Devnet]

I have a standalone version of Security Onion. I have the system working and elastic agents installed. I can navigate to dashboards to see the sysmon overview to see sysmon events reported, however I am unable to find a view of the Windows Event IDs that have been shipped to Security Onion. How are those viewed and controlled (in terms of which event IDs are shipped up to SO) in 2.4.60?

[cm-ops]

You should be able to open one of the events and add a groupby on the event IDs to see them in the dashboard.

[cslewis2-Devnet]

Hi thanks for the reply, I appreciate you taking the time to help. It's likely I have not described my problem well enough, let me try again. In the alerts display, all I see are alerts that come from Suricata. In previous versions I would see windows event logs, Sysmon and other sources of alerts. Here are two more specific questions.

1. I can go into Hunt, select the 'Sysmon events' view and see lots of Sysmon events there. If for example I do an include for the file create events and drilldown into one of those, I see that it is event code 11, which is what I would expect. So far, so good. My question is why would I have seen sysmon events in the alerts display of previous SO releases, but I am missing them in the alerts display with a vanilla 2.4 install. I am thinking I have missed something, but not sure what.
2. I want to be able to do a similar exercise but for windows event logs. Let's say I am interested in windows event 4624 (a successful logon). I used to see those displayed in the alerts page, but not with my install of 2.4. If I try to track down 4624 events, the closest I get is to look in Dashboards-Host Security Events, and I see lots of events for log_on and log_off. However when I drilldown into one of the events that has an event.action of log_on, I cannot see the event ID of 4624 anywhere. Am I just not looking hard enough, or looking in the wrong place?

[cslewis2-Devnet]

Hi,
To add some more clarification. In 2.3 we had Wazuh/ossec, with that client we had to configure the ossec.conf to define which events would be sent to SO. Once an event ID was configured in the client, it would be sent up to SO and an Alert would appear. How is that functionality replicated with the new elastic agent?

[cm-ops]

You would want to make sure there is a sigma rule in Detections enabled. That would generate alerts based on matches.

If you do not see one that covers your use case, there is a template in Detections where you can tailor a sigma rule to your specific detection.

[cslewis2-Devnet]

Thanks, that worked beautifully. One last clarification please. With the previous ossec based client, there was an ossec.conf file that had a default set of event IDs that generated alerts. Is there an existing file that will configure alerts for the most common event IDs monitored? If not I would assume the process is to manually create a rule for each of the 40 or 50 event IDs we want to monitor, is that correct?

[cm-ops]

https://github.com/SigmaHQ/sigma/blob/master/Releases.md There are quite a few sigma rules by default that come in Security Onion. If you look in Detections you will see core and emerging_threats_addon. I would check there to see if there is already a rule for your use case before creating one.