On Wednesday, March 1, 2017 at 7:31:58 PM UTC-6, dan (ddpbsd) wrote: > > On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison <edav...@gmail.com > <javascript:>> wrote: > > It would be great to see the decoder entries that go with these rules > ... I > > know this is an older post but maybe you are still around and can share > the > > decoder and maybe the plugin as well? > > > > > If you can provide log samples, we can work on decoders. :-) > > > Sure thing. Here are two examples. I can probably extrapolate the other events if I can get these working. It would be great if USERDATA fields could be filled with items like: User, Name, Category, Process Name, Severity, Path.
2017 Mar 03 10:06:20 (TEST2) 10.10.15.x->WinEvtLog 2017 Mar 03 10:06:16 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: TEST2.domain.net: Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part;file:_C:\Users\user\AppData\Local\Temp\U6ZR55qF.com.part;file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->(Zip);file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->eicar.com Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x00000000 Error description: The operation completed successfully. Signature Version: AV: 1.237.484.0, AS: 1.237.484.0, NIS: 116.72.0.0 Engine Version: AM: 1.1.13504.0, NIS: 2.1.12706.0 2017 Mar 03 10:05:54 (TEST2) 10.10.15.x->WinEvtLog 2017 Mar 03 10:05:50 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: WARNING(1116): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: TEST2.domain.net: Windows Defender has detected malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part;file:_C:\Users\user\AppData\Local\Temp\U6ZR55qF.com.part;file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->(Zip);file:_C:\Users\user\AppData\Local\Temp\ZUNXLCOu.zip.part->eicar.com Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: DOMAIN\user Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Signature Version: AV: 1.237.484.0, AS: 1.237.484.0, NIS: 116.72.0.0 Engine Version: AM: 1.1.13504.0, NIS: 2.1.12706.0 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
