You should try these for Sysmon events. https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml
I'm not familiar with wazuh, if it's a fork of OSSEC decoders/rules or what? I can tell you that the ones I've linked will work without breaking other things... On Wednesday, January 13, 2016 at 7:24:40 AM UTC-8, [email protected] wrote: > > Hello, > > I incorporated wazuh's custom OSSEC decoders for sysmon events ( > https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml) > > by placing these decoders into /var/ossec/etc/local_decoder.xml. However, > when I did this, the normal windows rules in > /var/ossec/rules/msauth_rules.xml would no longer fire. Obviously I created > a conflict of some sort, but I'm not certain where. > > To expound, here is a sample log line: > > 2016 Jan 13 08:19:04 WinEvtLog: Security: AUDIT_SUCCESS(4733): > Microsoft-Windows-Security-Auditing: (no user): no domain: foo.local: A > member was removed from a security-enabled local group. Subject: Security > ID: S-1-5-18 Account Name: foo-machine$ Account Domain: FOO Logon > ID: 0x3e7 Member: Security ID: > S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: > Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: > Builtin Additional Information: Privileges: - > > > Before adding a local_decoder.xml, this log line would be parsed as > follows: > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4733' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'foo-machine' > > **Phase 3: Completed filtering (rules). > Rule id: '18217' > Level: '12' > Description: 'Administrators Group Changed' > Info - Text: 'http://support.microsoft.com/kb/243330' > **Alert to be generated. > > > Now, it's parsed as such: > > **Phase 2: Completed decoding. > decoder: 'windows' > > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > > Why!?! > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
