-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove Windows EventChannel field #299
Conversation
<description>Windows warning event</description> | ||
<options>no_full_log</options> | ||
<group>gpg13_4.12,</group> | ||
</rule> | ||
|
||
<!--{"EventChannel":{"System":{"ProviderName":"NetBT","EventID":"4321","Level":"2","Task":"0","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:40.107861400Z","EventRecordID":"1701","Channel":"System","Computer":"qnu","SeverityValue":"ERROR","Message":"Le nom \\\"WORKGROUP :1d\\\" n’a pas pu être enregistré sur l’interface avec l’adresse IP 10.0.2.15. L’ordinateur avec l’adresse IP 10.0.2.2 n’a pas permis que le nom soit réclamé par cet ordinateur."},"EventData":{"Data":"","Data":"WORKGROUP :1d","Data":"10.0.2.15","Data":"10.0.2.2","Binary":"00000000040032000000000E11000C001010000010000C029000000000000000000000000000000"}}}--> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The event example is outdated.
rules/0220-msauth_rules.xml
Outdated
<options>alert_by_email</options> | ||
<description>Windows: Application Uninstalled $(EventChannel.EventData.Data)</description> | ||
<description>Windows: Application Uninstalled $(eventData.data)</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field is wrong -> win.eventdata.data
rules/0220-msauth_rules.xml
Outdated
<options>alert_by_email</options> | ||
<description>Windows: Application Installed $(EventChannel.EventData.Data)</description> | ||
<description>Windows: Application Installed $(eventData.data)</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
win.eventdata.data
rules/0220-msauth_rules.xml
Outdated
<field name="EventChannel.System.EventID">^632$|^4728$</field> | ||
<description>Windows: Security Enabled Global Group Member Added $(EventChannel.EventData.MemberSid)</description> | ||
<field name="win.system.eventID">^632$|^4728$</field> | ||
<description>Windows: Security Enabled Global Group Member Added $(eventData.memberSid)</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
win.eventdata.memberSid
and the same for the below descriptions as well
rules/0220-msauth_rules.xml
Outdated
<description>Chrome Remote Desktop attempt - access denied $(EventChannel.EventData.Data)</description> | ||
<field name="win.system.providerName">chromoting</field> | ||
<field name="win.system.message">\.*Access denied for client</field> | ||
<description>Chrome Remote Desktop attempt - access denied $(eventData.data)</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
win.eventdata.data
rules/0220-msauth_rules.xml
Outdated
<options>no_full_log</options> | ||
<group>gdpr_IV_32.2,</group> | ||
</rule> | ||
|
||
<!--{"EventChannel":{"System":{"ProviderName":"chromoting","EventID":"5","Level":"4","Task":"1","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:48.000000000Z","EventRecordID":"1801","Channel":"Application","Computer":"qnu","SeverityValue":"INFORMATION","Message":"Hôte démarré pour l'utilisateur \\\"[email protected]\\\""},"EventData":{"Data":"[email protected]"}}}--> | ||
<!--{"System":{"ProviderName":"chromoting","EventID":"5","Level":"4","Task":"1","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:48.000000000Z","EventRecordID":"1801","Channel":"Application","Computer":"qnu","SeverityValue":"INFORMATION","Message":"Hôte démarré pour l'utilisateur \\\"[email protected]\\\""},"EventData":{"Data":"[email protected]"}}--> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example event
rules/0430-ms_wdefender_rules.xml
Outdated
<description>Windows Defender messages grouped</description> | ||
<options>no_full_log</options> | ||
</rule> | ||
|
||
<!-- | ||
{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1116","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"hffg","Message":"Windows Defender has detected malware or other potentially unwanted software.","SeverityValue":"WARNING"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}} | ||
{"System":{"ProviderName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1116","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"hffg","Message":"Windows Defender has detected malware or other potentially unwanted software.","SeverityValue":"WARNING"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example event
rules/0435-ms_logs_rules.xml
Outdated
@@ -40,33 +40,33 @@ | |||
</rule> | |||
|
|||
<!-- | |||
{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Eventlog","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1102","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Eventlog","Computer":"hffg","Message":"The audit log was cleared.","SeverityValue":"INFORMATION"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}} | |||
{"System":{"ProviderName":"Microsoft-Windows-Eventlog","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1102","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Eventlog","Computer":"hffg","Message":"The audit log was cleared.","SeverityValue":"INFORMATION"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example event
This PR removes the
EventChannel
field from the rules. This is the related PR: wazuh/wazuh#2680