Wazuh SIEM Integrations (II) — WithSecure Elements EPP

SOCFortress
3 min readJul 8, 2022

--

Intro

WithSecure Elements EPP (formerly F-Secure Elements) is an endpoint protection agent that can be used as part of a full EPDR solution. Organizations can combine WithSecure Elements protection solution with Wauh agent’s capabilities to deploy a full EPDR stack.

WithSecure Elements Protection Features include:

  • Multi-engine anti-malware.
  • Heuristic & behavior analysis.
  • Application behavior.
  • Automated OS and 3rd Party software patch management.
  • Device Control.
  • Firewall Manager.
  • Real-time threat intelligence.
  • Connection Control.
  • Browsing Protection.
  • Web Traffic Protection
  • Web Content Control.
  • Block malicious web content.

WithSecure Elements EPP — Events and alerts in WinEvtLogs

WithSecure Elements integrates nicely with Windows Event channel and all registered events and alerts are recorded in the following Event Logs category:

Events details:

Integrating WithSecure Elements EPP in Wazuh SIEM

The Wazuh agent can be configured to read from the win event channel and forward the activity recorded to the Wazuh manager:

<localfile>
<location>FSecureUltralightSDK</location>
<log_format>eventchannel</log_format>
</localfile>

Detection Rules:

<group name="windows,">
<rule id="200450" level="3">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^1$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Notification</description>
</rule>
<rule id="200451" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^2$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Virus/Malware Infection Detected</description>
</rule>
<rule id="200452" level="5">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^7$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Network Interceptor</description>
</rule>
<rule id="200453" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^7$</field>
<field name="win.eventdata.rl">block_page$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Network Interceptor, Web Access Blocked</description>
</rule>
<rule id="200454" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^6$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Process/App Blocked</description>
</rule>
</group>

WithSecure Elements EPP — Events and Alerts in SOCFortress Platform

Activity Summary:

Alerts — Relevant Metadata:

Alerts Timeline and Alerts Severity:

Alerts and Events — Full Metadata:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

SOCFortress is a WithSecure partner and reseller.

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).