Hey Guys, I have been running the latest OSSEC 2.83 with a Wazuh fork upgrade. I have performed the Wazuh auto update with the .py script. All works well, thanks guys.
I have simply noticed recently that I can not make use of my favorite Sysmon based correlations because I am not able to see events with all the valid information fields like image, hash, network connection..... I am assuming the rules for Sysmon are only parsing certain events and making certain event criteria from those events available for the alert. How can I see all my information fields stated above in the Sysmon type alerts that fire? What I do see is: Sysmon suspicious file -svchost.exe alerts firing a lot on a multicast address. No hash... Has the hash field been ignored in a rule? Do I need to make a rule to just grab more fields and report? Thanks Guys, I appreciate your expert advice. ;-) --R -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
