Hello Daryl Here <https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml#L200> you'll find some decoders (in same repository, folder rules are the rules) for Sysmon. Although the decoders are built for Wazuh, it's possible to use them with some modification. The main modifications must be change the dynamic fields (Ossec doesn't support dynamic fields).
If you have any doubt let us know. Best regards, Alberto R. PS: Here <https://blog.wazuh.com/using-wazuh-to-monitor-sysmon-events/> I explain how to build a little rule that uses the decoder indicated. Hope it helps. On Wednesday, August 9, 2017 at 2:31:57 PM UTC+2, Daryl Field wrote: > > Hi all, > > I'll start by saying i'm a complete rookie with OSSEC, but i know what i > am looking to setup: > > I have sysmon on my windows agent, reporting back some good info, > including powershell usage. > > What i'd like to do on my OSSEC server is setup an alert rule to trigger > when usage of specific powershell commands is logged by sysmon, in > particular "-noprofile" and "-ExecutionPolicy Unrestricted" > > Can anybody offer me some noobie pointers on how to go about this? > > > Thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
