Rob - can you post your OSSEC version of the log? I can check my rules. These are a culmination of gleaned rules that I updated some time back with new event IDs. Yours is covered in there.... but I would like to test it against a valid OSSEC log. So if you can post it from the OSSEC logs, that'd be great.
Here they are.. </group> <!-- Microsoft Security Essentials rules --> <!-- see https://technet.microsoft.com/en-us/library/hh144989.aspx --> <group name="windows,mse,"> <rule id="720001" level="0"> <category>windows</category> <if_sid>18101,18102,18103</if_sid> <extra_data>^Microsoft Antimalware</extra_data> <description>Grouping of Microsoft Security Essentials rules.</description> </rule> <rule id="720010" level="12"> <if_sid>720001</if_sid> <id>^1118$|^1119$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected, but unable to remove.</description> </rule> <rule id="720011" level="7"> <if_sid>720001</if_sid> <id>^1117$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected and properly removed.</description> </rule> <rule id="720012" level="7"> <if_sid>720001</if_sid> <id>^1119$|^1118$|^1117$|^1116$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected.</description> </rule> <rule id="720013" level="7"> <if_sid>720001</if_sid> <id>^1015$</id> <group>virus,</group> <description>Microsoft Security Essentials - Suspicious activity detected.</description> </rule> <!-- Service conditions and errors --> <rule id="720020" level="3"> <if_sid>720001</if_sid> <id>^5007$</id> <description>Microsoft Security Essentials - Configuration changed.</description> <group>policy_changed,</group> </rule> <rule id="720021" level="9"> <if_sid>720001</if_sid> <id>^5008$</id> <description>Microsoft Security Essentials - Service failed.</description> </rule> <rule id="720022" level="9"> <if_sid>720001</if_sid> <id>^3002$</id> <description>Microsoft Security Essentials - Real time protection failed.</description> </rule> <rule id="720023" level="8"> <if_sid>720001</if_sid> <id>^2012$</id> <description>Microsoft Security Essentials - Cannot use Dynamic Signature Service.</description> </rule> <rule id="720024" level="8"> <if_sid>720001</if_sid> <id>^2004$</id> <description>Microsoft Security Essentials - Loading definitions failed. Using last good set.</description> </rule> <rule id="720025" level="8"> <if_sid>720001</if_sid> <id>^2003$</id> <description>Microsoft Security Essentials - Engine update failed.</description> </rule> <rule id="720026" level="8"> <if_sid>720001</if_sid> <id>^2001$</id> <description>Microsoft Security Essentials - Definitions update failed.</description> </rule> <rule id="720027" level="7"> <if_sid>720001</if_sid> <id>^1005$</id> <description>Microsoft Security Essentials - Scan error. Scan has stopped.</description> </rule> <rule id="720028" level="5"> <if_sid>720001</if_sid> <id>^1002$</id> <description>Microsoft Security Essentials - Scan stopped before completion.</description> </rule> <!-- EICAR test file special case --> <!-- www.eicar.org/86-0-Intended-use.html --> <rule id="720041" level="5"> <if_sid>720012</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file detected.</description> </rule> <rule id="720042" level="3"> <if_sid>720011</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file removed.</description> </rule> <rule id="720043" level="8"> <if_sid>720010</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file detected, but removal failed.</description> </rule> <!-- Status messages --> <rule id="720050" level="3"> <if_sid>720001</if_sid> <id>^2000$</id> <description>Microsoft Security Essentials - Signature database updated.</description> </rule> <rule id="720051" level="3"> <if_sid>720001</if_sid> <id>^2002$</id> <description>Microsoft Security Essentials - Scan engine updated.</description> </rule> <rule id="720053" level="3"> <if_sid>720001</if_sid> <id>^1000$|^1001$</id> <description>Microsoft Security Essentials - Scan started or stopped.</description> </rule> <rule id="720054" level="4"> <if_sid>720001</if_sid> <id>^1013$</id> <description>Microsoft Security Essentials - History cleared.</description> </rule> <!-- Time based alerts --> <rule id="720070" level="10" frequency="4" timeframe="240"> <if_matched_sid>720011</if_matched_sid> <description>Multiple Microsoft Security Essentials AV warnings detected.</description> </rule> <rule id="720071" level="10" frequency="4" timeframe="240"> <if_matched_sid>720012</if_matched_sid> <description>Multiple Microsoft Security Essentials AV warnings detected.</description> </rule> </group> <!-- mse --> On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote: > > Hello All, > > Does anyone have a decoder for Windows Defender floating around out > there?? > > Im having a heck of a time... Here is the event channel event example if > anyone is curious or can help: (Win10 box) > > Log Name: Microsoft-Windows-Windows Defender/Operational > Source: Microsoft-Windows-Windows Defender > Date: 4/22/2016 4:05:17 PM > Event ID: 1116 > Task Category: None > Level: Warning > Keywords: > User: SYSTEM > Computer: VICTIM0 > Description: > Windows Defender has detected malware or other potentially unwanted > software. > For more information please see the following: > > http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 > Name: Trojan:Win32/Bagsu!rfn > ID: 2147694406 > Severity: Severe > Category: Trojan > Path: > containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe) > Detection Origin: Network share > Detection Type: Concrete > Detection Source: Real-Time Protection > User: frog > Process Name: C:\Windows\explorer.exe > Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: 115.8.0.0 > Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0 > > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="Microsoft-Windows-Windows Defender" > Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" /> > <EventID>1116</EventID> > <Version>0</Version> > <Level>3</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="2016-04-22T20:05:17.551083000Z" /> > <EventRecordID>95</EventRecordID> > <Correlation ActivityID="{ECC2B320-F9A6-41AD-9F17-5C9EE24D3330}" /> > <Execution ProcessID="2332" ThreadID="4540" /> > <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> > <Computer>VICTIM0</Computer> > <Security UserID="S-1-5-77" /> > </System> > <EventData> > <Data Name="Product Name">%%827</Data> > <Data Name="Product Version">4.9.10586.0</Data> > <Data Name="Detection ID">{CAADD684-36C9-444B-8A6D-8CE537A93E40}</Data> > <Data Name="Detection Time">2016-04-22T20:04:40.369Z</Data> > <Data Name="Unused"> > </Data> > <Data Name="Unused2"> > </Data> > <Data Name="Threat ID">2147694406</Data> > <Data Name="Threat Name">Trojan:Win32/Bagsu!rfn</Data> > <Data Name="Severity ID">5</Data> > <Data Name="Severity Name">Severe</Data> > <Data Name="Category ID">8</Data> > <Data Name="Category Name">Trojan</Data> > <Data Name="FWLink"> > http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 > </Data> > <Data Name="Status Code">1</Data> > <Data Name="Status Description"> > </Data> > <Data Name="State">1</Data> > <Data Name="Source ID">3</Data> > <Data Name="Source Name">%%818</Data> > <Data Name="Process Name">C:\Windows\explorer.exe</Data> > <Data Name="Detection User">frog</Data> > <Data Name="Unused3"> > </Data> > <Data > Name="Path">containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)</Data> > <Data Name="Origin ID">2</Data> > <Data Name="Origin Name">%%846</Data> > <Data Name="Execution ID">1</Data> > <Data Name="Execution Name">%%813</Data> > <Data Name="Type ID">0</Data> > <Data Name="Type Name">%%822</Data> > <Data Name="Pre Execution Status">0</Data> > <Data Name="Action ID">9</Data> > <Data Name="Action Name">%%887</Data> > <Data Name="Unused4"> > </Data> > <Data Name="Error Code">0x00000000</Data> > <Data Name="Error Description">The operation completed successfully. > </Data> > <Data Name="Unused5"> > </Data> > <Data Name="Post Clean Status">0</Data> > <Data Name="Additional Actions ID">0</Data> > <Data Name="Additional Actions String">No additional actions > required</Data> > <Data Name="Remediation User"> > </Data> > <Data Name="Unused6"> > </Data> > <Data Name="Signature Version">AV: 1.217.2054.0, AS: 1.217.2054.0, > NIS: 115.8.0.0</Data> > <Data Name="Engine Version">AM: 1.1.12603.0, NIS: 2.1.11804.0</Data> > </EventData> > </Event> > > > Thanks!, Rob > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
