Wazuh SIEM Integrations (II) — WithSecure Elements EPP

Intro

WithSecure Elements EPP (formerly F-Secure Elements) is an endpoint protection agent that can be used as part of a full EPDR solution. Organizations can combine WithSecure Elements protection solution with Wauh agent’s capabilities to deploy a full EPDR stack.

WithSecure Elements Protection Features include:

• Multi-engine anti-malware.
• Heuristic & behavior analysis.
• Application behavior.
• Automated OS and 3rd Party software patch management.
• Device Control.
• Firewall Manager.
• Real-time threat intelligence.
• Connection Control.
• Browsing Protection.
• Web Traffic Protection
• Web Content Control.
• Block malicious web content.

WithSecure Elements EPP — Events and alerts in WinEvtLogs

WithSecure Elements integrates nicely with Windows Event channel and all registered events and alerts are recorded in the following Event Logs category:

Events details:

Integrating WithSecure Elements EPP in Wazuh SIEM

The Wazuh agent can be configured to read from the win event channel and forward the activity recorded to the Wazuh manager:

<localfile>
 <location>FSecureUltralightSDK</location>
 <log_format>eventchannel</log_format>
</localfile>

Detection Rules:

<group name="windows,">
  <rule id="200450" level="3">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
    <field name="win.system.eventID">^1$</field>
    <options>no_full_log</options>
    <group>fsecure,</group>
    <description>F-Secure EPP - Notification</description>
  </rule>
  <rule id="200451" level="12">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
    <field name="win.system.eventID">^2$</field>
    <options>no_full_log</options>
    <group>fsecure,</group>
    <description>F-Secure EPP - Virus/Malware Infection Detected</description>
  </rule>
  <rule id="200452" level="5">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
    <field name="win.system.eventID">^7$</field>
    <options>no_full_log</options>
    <group>fsecure,</group>
    <description>F-Secure EPP - Network Interceptor</description>
  </rule>
  <rule id="200453" level="12">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
    <field name="win.system.eventID">^7$</field>
    <field name="win.eventdata.rl">block_page$</field>
    <options>no_full_log</options>
    <group>fsecure,</group>
    <description>F-Secure EPP - Network Interceptor, Web Access Blocked</description>
  </rule>
  <rule id="200454" level="12">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
    <field name="win.system.eventID">^6$</field>
    <options>no_full_log</options>
    <group>fsecure,</group>
    <description>F-Secure EPP - Process/App Blocked</description>
  </rule>
</group>

WithSecure Elements EPP — Events and Alerts in SOCFortress Platform

Activity Summary:

Alerts — Relevant Metadata:

Alerts Timeline and Alerts Severity:

Alerts and Events — Full Metadata:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

SOCFortress is a WithSecure partner and reseller.