[ossec-list] sysmon decoder and rules not triggered

Thu, 28 Sep 2017 03:08:40 -0700 

hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0. 
sysmon installed and has been configured, and for example i tried to acces 
powershell, agent's log.
so I tried to use ossec-logtest and have result :

**Phase 1: Completed pre-decoding.
       full event: '2017 Sep 28 11:15:28 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: 
 UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
{6B166207-7760-59CC-0000-0010F1E00800}  ProcessId: 732  Image: 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine: 
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"   
CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser  LogonGuid: 
{6B166207-76B9-59CC-0000-0020FDE40100}  LogonId: 0x1e4fd 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
 
 ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} 
 ParentProcessId: 2920  ParentImage: C:\Windows\explorer.exe 
 ParentCommandLine: C:\Windows\Explorer.EXE'
       hostname: 'ubuntu'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: 
 UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
{6B166207-7760-59CC-0000-0010F1E00800}  ProcessId: 732  Image: 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine: 
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"   
CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser  LogonGuid: 
{6B166207-76B9-59CC-0000-0020FDE40100}  LogonId: 0x1e4fd 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
 
 ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} 
 ParentProcessId: 2920  ParentImage: C:\Windows\explorer.exe 
 ParentCommandLine: C:\Windows\Explorer.EXE'

**Phase 2: Completed decoding.
       *decoder: 'windows'*
       status: 'INFORMATION'
       id: '1'
       extra_data: 'Microsoft-Windows-Sysmon'
       dstuser: 'SYSTEM'
       system_name: 'IE11Win7'

**Phase 3: Completed filtering (rules).
       Rule id: '99999'
       Level: '3'
       Description: 'Windows Rule Triggered'
**Alert to be generated.


here is sysmon decoder by default:

<decoder name="Sysmon-EventID#1">
<type>windows</type>
<prematch>INFORMATION\(1\)</prematch>
<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
\S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
\s*ParentCommandLine:</regex>
<order>status,user,url,data</order>
</decoder>



as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2
could anyone help me how to fix it so sysmon decoder and sysmon rules is 
triggered?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to