I follow the steps and the wazuh list gets one security event added.
What am I missing since I do not get a security event with ruleid 115005?
I just ran through the lab, and it worked as expected:
I first made sure I could reach the Wazuh server from Windows by ip…
I then visited the Wazuh sever in Firefox (from the Windows client) and installed the Wazuh agent on the Windows client…
I made sure the client was active in Wazuh…
I then added a filter on the Wazuh Security Events dashboard so that only events having a MITRE id would show, not critical but it makes finding MITRE events easier…
Next I modified ossec.conf on the Windows client, restarted the Wazuh agent, and made sure the Wazuh agent service was running…
Here is the change I made to ossec.conf…
On the Windows client, I imported Atomic Red Team, and ran Atomic Test T1548.002-3
Lastly clicked REFRESH on the Wazuh Security Events page and found a new event at the top…
