Hi Kyriakos,
It seems that this feature is not available for OSSEC (you can check an older thread about it here <https://groups.google.com/g/ossec-list/c/vOlEWdPeQEk/m/ff9z1I8VDwAJ>). However, as mentioned in the thread, you can use Wazuh to achieve that goal: **Phase 1: Completed pre-decoding. full event: '2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested. Subject: Security ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1 Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for Access Check: - Restricted SID Count: 0' hostname: 'ip-10-0-0-10' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested. Subject: Security ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1 Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for Access Check: - Restricted SID Count: 0' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '4656' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'Desktop' account_name: 'Subject1' account_domain: 'DESKTOP' logon_id: '0xXXXXX' accesses: ' SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU)' target_file: 'C:\Users\Subject2\Documents\Private.txt' **Phase 3: Completed filtering (rules). Rule id: '200000' Level: '5' Description: 'Unauthorized object access by Subject1' **Alert to be generated. You can check this link <https://documentation.wazuh.com/current/user-manual/ruleset/custom.html> for further information. Hope this helps. Let me know if you need anything else. Regards, Yana. On Tuesday, September 17, 2019 at 12:05:07 PM UTC+2 Kyriakos Stavridis wrote: > Hey guys, so I really like the new dynamic decoders. But how can I use a > dynamic field to trigger a rule? > > Lets say I extract md5 into a dynamic field with a decoder > <order>md5</order> > > I can't use the tag <md5>XXXXXXX</md5> into any rule. > > How am I supposed to check the value I extracted with the decoder? > > Thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8d6e4b1c-612c-48cd-8b10-5e8dfd16d5d4n%40googlegroups.com.
