Required sysmon logs not showing up in Wazuh. #3
Description
Hello, I have questions (or an issue?) with sysmon logs on Wazuh. I am specifically wanting wazuh to parse network connections, which is event ID 3 in sysmon.
The defaul rules file 0595-win-sysmon_rules.xml contains this:
<if_sid>61600</if_sid>
^3$
Sysmon - Event 3: Network connection to
no_full_log
sysmon_event3,
I added a sysmon.xml rule file (from OpenSecure Github repo) which contains this:
<if_sid>61605</if_sid>
no_full_log
Sysmon - Event 3: Network connection.
I believe that the first rule (61605) will parse the event but not display it (level "0"), whereas the second rule (101103) will assign a level 5 alert to the event, which should make it visible in the dashboard. However, I don't see any 101103 events in the dasboard, despite browsing several websites and issuing curl commands to various domains in cmd. I see the related events in the Windows event viewer > Sysmon > Operational, but not in the dashboard. I can see other sysmon events in the dashboard, but not 101103. The same actually also applies to DNS queries (event 22 in sysmon, 101100 in the sysmon.xml from OpenSecure). Are you able to provide any pointers?