1. Describe your incident:
I am looking to build out some alerts that required Event ID 4698 in Windows (Scheduled Task Created). I modified the GPO for audit success/failure of ‘Other Objects’ and that has made it so logs are generated in event viewer but they are still not making it into GL as far as I can tell.
2. Describe your environment:
- OS Information:
Running GL Cloud.
Client device is Windows 11, w/ sidecar, nxlog and sysmon.
- Service logs, configurations, and environment variables:
Here is an example 4698 event:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4699</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2024-08-29T15:20:01.5841151Z" />
<EventRecordID>165395</EventRecordID>
<Correlation ActivityID="{71814a85-fa26-0006-b54a-817126fada01}" />
<Execution ProcessID="1264" ThreadID="1372" />
<Channel>Security</Channel>
<Computer>testdomain.testdomain.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-217194642-45634563456742-2742321624-28153</Data>
<Data Name="SubjectUserName">username-redacted</Data>
<Data Name="SubjectDomainName">TEST</Data>
<Data Name="SubjectLogonId">0x1f99a2</Data>
<Data Name="TaskName">\test</Data>
<Data Name="TaskContent" />
<Data Name="ClientProcessStartKey">30117822508040619</Data>
<Data Name="ClientProcessId">18572</Data>
<Data Name="ParentProcessId">9616</Data>
<Data Name="RpcCallClientLocality">0</Data>
<Data Name="FQDN">testdomain.testdomain.com</Data>
</EventData>
</Event>
Here is an example nxlog configuration but I also tried another one without and drops/suppressions:
#Prod
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_gelf
</Extension>
<Extension json>
Module xm_json
</Extension>
define DroppedEventIDs 4634, 4624, 1035, 1003, 16394, 63, 16384, 4688
<Input inWindowsAudit>
Module im_msvistalog
ReadFromLast True
Query <QueryList> \
<Query Id="0"> \
<Select Path="Application">*</Select> \
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
<Select Path="Security">*</Select> \
<Select Path="System">*[System[(level='4')]]</Select> \
<Suppress Path="Application">*[System[(EventID=258)]]</Suppress> \
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=4104 or EventID=4106)]]</Select> \
</Query> \
</QueryList>
Exec if ($EventID IN (%DroppedEventIDs%)) drop();
Exec if ($DestAddress =~ /10.0.0.111/) drop();
Exec if ($DestAddress =~ /127.0.0.1/) drop();
Exec if ($DestAddress =~ /230.0.0.4/) drop();
Exec if ($EventID == 0 and $message == 'PowerEvent handled successfully by the service.') drop();
Exec if ($EventID == 22 and $QueryName == 'something-redacted') drop();
</Input>
<Output outGraylog>
Module om_udp
Host 10.11.11.11
Port 12202
OutputType GELF
</Output>
<Route 1>
Path inWindowsAudit => outGraylog
</Route>
3. What steps have you already taken to try and solve the problem?
Tried making a new nxlog config thats barebones.
Tried adding lines to include that event ID.
I have tried just looking up this issue, no success there.
Tried reinstalling nxlog and restarting sidecar.
Looked for the log everywhere and it seems that event id is not getting logged anywhere.
I poked around the sysmon config for relevant includes/exclude statements but couldn’t find any.
Reviewed pipeline rules and there is nothing that would drop it in there.
Looked at received messages for the input and it seems to never show up.
4. How can the community help?
Are you able to point me in the right direction to find out why this is not being logged to the SIEM? This doesn’t seem to be an issue with nxlog but not sure where else to look. As far as I can tell, it never hits the input.