Hi Rob B,
There are decoders
<https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L215>
for every Sysmon event, the main fields are been extracted.
There are only created rules for Sysmon Event ID 1.
See the attached example:
2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid:
> {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image:
> C:\Windows\system32\svchost.exe CommandLine:
> "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log
> User: WIN-U93G48C7BOP\Administrator LogonGuid:
> {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB
> TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 *Hash:
> 9FEF303BEDF8430403915951564E0D9888F6F365* ParentProcessGuid:
> {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage:
> C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE
>
> **Phase 1: Completed pre-decoding.
> full event: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-
> Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT
> AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM
> ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048
> Image: C:\Windows\system32\svchost.exe CommandLine:
> "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log
> User: WIN-U93G48C7BOP\Administrator LogonGuid:
> {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB
> TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash:
> 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid:
> {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage:
> C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE'
> hostname: 'v283'
> program_name: '(null)'
> log: '2014 Dec 20 09:29:47 WinEvtLog:
> Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid:
> {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image:
> C:\Windows\system32\svchost.exe CommandLine:
> "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log
> User: WIN-U93G48C7BOP\Administrator LogonGuid:
> {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB
> TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash:
> 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid:
> {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage:
> C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE'
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'C:\Windows\system32\svchost.exe'
> dstuser: 'WIN-U93G48C7BOP\Administrator'
>
> * url: '9FEF303BEDF8430403915951564E0D9888F6F365'* extra_data:
> 'C:\Windows\Explorer.EXE'
> **Phase 3: Completed filtering (rules).
> Rule id: '184666'
> Level: '12'
> Description: 'Sysmon - Suspicious Process - svchost.exe'
Fields Hash is being extracted, but it is not being displayed on rule
information.
You can use *json_ouput *option which will print an extended alert
containing fields such as *url *or *extra_data*.
If you need more help, let us see the output of pasting your log into
bin/ossec-logtest tool.
Best Regards,
Pedro S.
On Tue, Mar 8, 2016 at 9:10 PM, Rob B <[email protected]> wrote:
> Hey Guys,
>
> I have been running the latest OSSEC 2.83 with a Wazuh fork upgrade. I
> have performed the Wazuh auto update with the .py script. All works well,
> thanks guys.
>
> I have simply noticed recently that I can not make use of my favorite
> Sysmon based correlations because I am not able to see events with all the
> valid information fields like image, hash, network connection..... I am
> assuming the rules for Sysmon are only parsing certain events and making
> certain event criteria from those events available for the alert.
>
> How can I see all my information fields stated above in the Sysmon type
> alerts that fire? What I do see is: Sysmon suspicious file -svchost.exe
> alerts firing a lot on a multicast address. No hash... Has the hash field
> been ignored in a rule?
>
> Do I need to make a rule to just grab more fields and report?
>
>
> Thanks Guys, I appreciate your expert advice. ;-)
>
> --R
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
