In the Wazuh fork, dynamic decoders are an outstanding idea. It allows unprecedented visualization capabilities in the security console *without* having to resort to further parsing tricks at ingestion time. It is all done in OSSEC.
Dynamic decoders enable unprecedented normalization of events. Dynamic variables + dynamic decoders would tremendously boost OSSEC's host intrusion detection capabilities, enabling modeling of attack scenarios that were previously *unthinkable *in stock OSSEC. The above examples are a very basic illustration of the endless threat scenario modeling possibilities that dynamic variables would add to Wazuh fork of OSSEC. By the way, legitimate user names and domain names in Windows may contain spaces. System events have "NT Authority" as domain name. The out-of-the-box dynamic decoders fail and only picks up "NT" in the case of "NT Authority" domain. Ditto for user names that contain spaces. The following work in case user name or domain contain spaces: <regex>Account Name:\s\s+(\w\.+)\s\s+Account Domain:</regex> and for domain names: <regex>Account Domain:\s\s+(\w\.+)\s\s+Logon ID:</regex> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.