Fix Microsoft Antimalware and Eventlog rules' channels

[cristgl]

This PR fixes: #396

The rule 60007 was not filtering by the right channel. It has been changed to filter by Security, as Microsoft-Windows-Eventlog is the provider name.
Also, rule 60008 has been changed for the same reason. A Security Essentials event looks like this:

{
   "win":{
      "system":{
         "providerName":"Microsoft Antimalware",
         "eventID":"2010",
         "level":"4",
         "task":"0",
         "keywords":"0x80000000000000",
         "systemTime":"2019-05-15T09:19:30.000000000Z",
         "eventRecordID":"1311",
         "channel":"System",
         "computer":"user-PC",
         "severityValue":"INFORMATION",
         "message":"Microsoft Antimalware used Dynamic Signature Service to retrieve additional signatures to help protect your machine."
      },
      "eventdata":{
         "data":"%%860, 4.10.209.0, 1.293.1636.0, 2, %%801, 1.1.15900.4, 2, %%863, c:\\ProgramData\\Microsoft\\Microsoft Antimalware\\Scans\\RtSigs\\data\\f646ed823bbfd0fb8a9df8d13ff55466eb6158b0, 1.293.1636.1, 3, %%865, 1.293.1636.1"
      }
   }
}

The channel is System and the provider name is Microsoft Antimalware.

These rules' filtering fields and parent rule have been changed for the right ones.

[cristgl]

Testing for each channel and provider name

This testing shows alerts taking into account the changes made in this PR and the modifications for the issue #401.

• Channel: System, ProviderName: Microsoft antimalware (parent rule 60008)

** Alert 1557929076.916604: - windows,mse,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,
2019 May 15 16:04:36 (win3) any->EventChannel
Rule: 63615 (level 5) -> 'Microsoft Security Essentials - Scan stopped before completion'
{"win":{"system":{"providerName":"Microsoft Antimalware","eventID":"1002","level":"3","task":"0","keywords":"0x80000000000000","systemTime":"2019-05-15T14:04:36.000000000Z","eventRecordID":"1285","channel":"System","computer":"user-PC","severityValue":"WARNING","message":"Microsoft Antimalware scan has been stopped before completion."},"eventdata":{"data":"%%860, 4.10.209.0, {B9AF3F9D-7518-4439-B225-586A35FDD99C}, 1, %%802, 1, %%806, user-PC, user, S-1-5-21-870405189-18688717-2561499053-1000"}}}
win.system.providerName: Microsoft Antimalware
win.system.eventID: 1002
win.system.level: 3
win.system.task: 0
win.system.keywords: 0x80000000000000
win.system.systemTime: 2019-05-15T14:04:36.000000000Z
win.system.eventRecordID: 1285
win.system.channel: System
win.system.computer: user-PC
win.system.severityValue: WARNING
win.system.message: Microsoft Antimalware scan has been stopped before completion.
win.eventdata.data: %%860, 4.10.209.0, {B9AF3F9D-7518-4439-B225-586A35FDD99C}, 1, %%802, 1, %%806, user-PC, user, S-1-5-21-870405189-18688717-2561499053-1000

• Channel: System (parent rule 60002)

** Alert 1557903473.112805: - windows, windows_systempolicy_changed,pci_dss_10.6,gdpr_IV_35.7.d,
2019 May 15 08:57:53 (win) any->EventChannel
Rule: 61104 (level 3) -> 'Service startup type was changed'
{"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7040","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2019-05-15T06:57:52.019149300Z","eventRecordID":"11420","processID":"560","threadID":"1808","channel":"System","computer":"pcname","severityValue":"INFORMATION","message":"The start type of the Windows Modules Installer service was changed from demand start to auto start."},"eventdata":{"param1":"Windows Modules Installer","param2":"demand start","param3":"auto start","param4":"TrustedInstaller"}}}
win.system.providerName: Service Control Manager
win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4}
win.system.eventSourceName: Service Control Manager
win.system.eventID: 7040
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x8080000000000000
win.system.systemTime: 2019-05-15T06:57:52.019149300Z
win.system.eventRecordID: 11420
win.system.processID: 560
win.system.threadID: 1808
win.system.channel: System
win.system.computer: pcname
win.system.severityValue: INFORMATION
win.system.message: The start type of the Windows Modules Installer service was changed from demand start to auto start.
win.eventdata.param1: Windows Modules Installer
win.eventdata.param2: demand start
win.eventdata.param3: auto start
win.eventdata.param4: TrustedInstaller

• Channel: Security (parent rule 60001)

** Alert 1557930274.974283: - windows, windows_security,pci_dss_10.2.5,gdpr_IV_32.2,
2019 May 15 16:24:34 (win) any->EventChannel
Rule: 60137 (level 3) -> 'Windows User Logoff'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4647","version":"0","level":"0","task":"12545","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-05-15T14:24:33.310846900Z","eventRecordID":"15745752","processID":"568","threadID":"2556","channel":"Security","computer":"pcname","severityValue":"AUDIT_SUCCESS"},"eventdata":{"targetUserSid":"S-1-5-21-3416783167-2895274904-3428114391-1001","targetUserName":"user","targetDomainName":"pcname","targetLogonId":"0x1be502f"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
win.system.eventID: 4647
win.system.version: 0
win.system.level: 0
win.system.task: 12545
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2019-05-15T14:24:33.310846900Z
win.system.eventRecordID: 15745752
win.system.processID: 568
win.system.threadID: 2556
win.system.channel: Security
win.system.computer: pcname
win.system.severityValue: AUDIT_SUCCESS
win.eventdata.targetUserSid: S-1-5-21-3416783167-2895274904-3428114391-1001
win.eventdata.targetUserName: user
win.eventdata.targetDomainName: pcname
win.eventdata.targetLogonId: 0x1be502f

• Channel: Application (parent rule 60003)

** Alert 1557929469.936299: - windows,windows_application,
2019 May 15 16:11:09 (win3) any->EventChannel
Rule: 60775 (level 5) -> 'SessionEnv was unavailable to handle a notification event'
{"win":{"system":{"providerName":"Microsoft-Windows-Winlogon","providerGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","eventSourceName":"Wlclntfy","eventID":"6000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2019-05-15T14:11:09.000000000Z","eventRecordID":"522","processID":"0","threadID":"0","channel":"Application","computer":"user-PC","severityValue":"INFORMATION","message":"The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event."},"eventdata":{"binary":"D9060000","data":"SessionEnv"}}}
win.system.providerName: Microsoft-Windows-Winlogon
win.system.providerGuid: {DBE9B383-7CF3-4331-91CC-A3CB16A3B538}
win.system.eventSourceName: Wlclntfy
win.system.eventID: 6000
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x80000000000000
win.system.systemTime: 2019-05-15T14:11:09.000000000Z
win.system.eventRecordID: 522
win.system.processID: 0
win.system.threadID: 0
win.system.channel: Application
win.system.computer: user-PC
win.system.severityValue: INFORMATION
win.system.message: The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
win.eventdata.binary: D9060000
win.eventdata.data: SessionEnv

• Channel: Microsoft-Windows-Windows Defender/Operational (parent rule 60005)

** Alert 1557931621.1096365: mail  - windows,windows_defender,gdpr_IV_35.7.d,
2019 May 15 16:47:01 (win) any->EventChannel
Rule: 62103 (level 12) -> 'Windows Defender: detected potentially unwanted software C:\Windows\explorer.exe'
{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","eventID":"1116","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-05-15T14:47:00.406134500Z","eventRecordID":"586","processID":"1572","threadID":"2464","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"pcname","severityValue":"WARNING"},"eventdata":{"product Name":"%%827","product Version":"4.10.209.0","detection ID":"{7EB7D8A0-7871-4792-9B96-79743010A21C}","detection Time":"2019-05-15T14:47:00.406Z","threat ID":"2147705511","threat Name":"HackTool:Win64/Mikatz!dha","severity ID":"4","severity Name":"High","category ID":"34","category Name":"Tool","fWLink":"http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0","status Code":"1","state":"1","source ID":"4","source Name":"%%819","process Name":"C:\\Windows\\explorer.exe","detection User":"pcname\\user","path":"file:_C:\\Users\\user\\Downloads\\mimikatz_trunk\\Win32\\mimidrv.sys","origin ID":"1","origin Name":"%%845","execution ID":"1","execution Name":"%%813","type ID":"0","type Name":"%%822","pre Execution Status":"0","action ID":"9","action Name":"%%887","error Code":"0x00000000","error Description":"The operation completed successfully.","post Clean Status":"0","additional Actions ID":"0","additional Actions String":"No additional actions required","signature Version":"AV: 1.293.1629.0, AS: 1.293.1629.0, NIS: 119.0.0.0","engine Version":"AM: 1.1.15900.4, NIS: 2.1.14600.4"}}}
win.system.providerName: Microsoft-Windows-Windows Defender
win.system.providerGuid: {11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}
win.system.eventID: 1116
win.system.version: 0
win.system.level: 3
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2019-05-15T14:47:00.406134500Z
win.system.eventRecordID: 586
win.system.processID: 1572
win.system.threadID: 2464
win.system.channel: Microsoft-Windows-Windows Defender/Operational
win.system.computer: pcname
win.system.severityValue: WARNING
win.eventdata.product Name: %%827
win.eventdata.product Version: 4.10.209.0
win.eventdata.detection ID: {7EB7D8A0-7871-4792-9B96-79743010A21C}
win.eventdata.detection Time: 2019-05-15T14:47:00.406Z
win.eventdata.threat ID: 2147705511
win.eventdata.threat Name: HackTool:Win64/Mikatz!dha
win.eventdata.severity ID: 4
win.eventdata.severity Name: High
win.eventdata.category ID: 34
win.eventdata.category Name: Tool
win.eventdata.fWLink: http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0
win.eventdata.status Code: 1
win.eventdata.state: 1
win.eventdata.source ID: 4
win.eventdata.source Name: %%819
win.eventdata.process Name: C:\Windows\explorer.exe
win.eventdata.detection User: pcname\user
win.eventdata.path: file:_C:\Users\user\Downloads\mimikatz_trunk\Win32\mimidrv.sys
win.eventdata.origin ID: 1
win.eventdata.origin Name: %%845
win.eventdata.execution ID: 1
win.eventdata.execution Name: %%813
win.eventdata.type ID: 0
win.eventdata.type Name: %%822
win.eventdata.pre Execution Status: 0
win.eventdata.action ID: 9
win.eventdata.action Name: %%887
win.eventdata.error Code: 0x00000000
win.eventdata.error Description: The operation completed successfully.
win.eventdata.post Clean Status: 0
win.eventdata.additional Actions ID: 0
win.eventdata.additional Actions String: No additional actions required
win.eventdata.signature Version: AV: 1.293.1629.0, AS: 1.293.1629.0, NIS: 119.0.0.0
win.eventdata.engine Version: AM: 1.1.15900.4, NIS: 2.1.14600.4

• Channel: Microsoft-Windows-Sysmon/Operational (parent rule 60004)

** Alert 1557931847.1116646: mail  - windows,sysmon,sysmon_process-anomalies,sysmon_event1,powershell_execution,
2019 May 15 16:50:47 (win) any->EventChannel
Rule: 255000 (level 12) -> 'Sysmon - Event 1: Bad exe: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-05-15T14:50:46.612978000Z","eventRecordID":"12848","processID":"1856","threadID":"2960","channel":"Microsoft-Windows-Sysmon/Operational","computer":"pcname","severityValue":"INFORMATION","message":"rocess Create:\r\nRuleName: \r\nUtcTime: 2019-05-15 14:50:46.612\r\nProcessGuid: {A2E669BA-2746-5CDC-0000-00105C5F0B00}\r\nProcessId: 2576\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 6.3.9600.17396 (winblue_r4.141007-2030)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nCommandLine:"},"eventdata":{"utcTime":"2019-05-15 14:50:46.612","processGuid":"{A2E669BA-2746-5CDC-0000-00105C5F0B00}","processId":"2576","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"6.3.9600.17396 (winblue_r4.141007-2030)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","commandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"","currentDirectory":"C:\\Windows\\system32\\","user":"pcname\\user","logonGuid":"{A2E669BA-255D-5CDC-0000-00206FEF0300}","logonId":"0x3ef6f","terminalSessionId":"1","integrityLevel":"High","hashes":"MD5=C031E215B8B08C752BF362F6D4C5D3AD","parentProcessGuid":"{A2E669BA-2560-5CDC-0000-001030110400}","parentProcessId":"2596","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2019-05-15T14:50:46.612978000Z
win.system.eventRecordID: 12848
win.system.processID: 1856
win.system.threadID: 2960
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: pcname
win.system.severityValue: INFORMATION
win.system.message: rocess Create:
RuleName: 
UtcTime: 2019-05-15 14:50:46.612
ProcessGuid: {A2E669BA-2746-5CDC-0000-00105C5F0B00}
ProcessId: 2576
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 6.3.9600.17396 (winblue_r4.141007-2030)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine:
win.eventdata.utcTime: 2019-05-15 14:50:46.612
win.eventdata.processGuid: {A2E669BA-2746-5CDC-0000-00105C5F0B00}
win.eventdata.processId: 2576
win.eventdata.image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
win.eventdata.fileVersion: 6.3.9600.17396 (winblue_r4.141007-2030)
win.eventdata.description: Windows PowerShell
win.eventdata.product: Microsoft® Windows® Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.commandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
win.eventdata.currentDirectory: C:\Windows\system32\
win.eventdata.user: pcname\user
win.eventdata.logonGuid: {A2E669BA-255D-5CDC-0000-00206FEF0300}
win.eventdata.logonId: 0x3ef6f
win.eventdata.terminalSessionId: 1
win.eventdata.integrityLevel: High
win.eventdata.hashes: MD5=C031E215B8B08C752BF362F6D4C5D3AD
win.eventdata.parentProcessGuid: {A2E669BA-2560-5CDC-0000-001030110400}
win.eventdata.parentProcessId: 2596
win.eventdata.parentImage: C:\Windows\explorer.exe
win.eventdata.parentCommandLine: C:\Windows\Explorer.EXE

• Channel: Application, Provider Name: McLogEvent (parent rule 60006)
  I couldn't get any event from this provider name, but I have found some sample events at the McAfee web. Passing this event by the analysisd socket returns the next alert:

** Alert 1557999922.359975: - windows,mcafee,
2019 May 16 11:45:22 (win) any->EventChannel
Rule: 62603 (level 3) -> 'McAfee Windows AV informational event'
{"win":{"system":{"providerName":"McLogEvent","eventID":"257","level":"4","task":"0","keywords":"0x80000000000000","eventRecordID":"23620","channel":"Application","severityValue":"INFORMATION","message":"Blocked by access protection rule"},"eventdata":{"data":"Blocked by access protection rule.  Access to object \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Epoch2 was blocked by rule Common Maximum Protection:Prevent programs registering as a service."}}}
win.system.providerName: McLogEvent
win.system.eventID: 257
win.system.level: 4
win.system.task: 0
win.system.keywords: 0x80000000000000
win.system.eventRecordID: 23620
win.system.channel: Application
win.system.severityValue: INFORMATION
win.system.message: Blocked by access protection rule
win.eventdata.data: Blocked by access protection rule.  Access to object \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 was blocked by rule Common Maximum Protection:Prevent programs registering as a service.

• Channel: System, Provider Name: Eventlog (parent rule 60007)
  Cannot reproduce any event, but the next image shows that this provider name is contained at the System channel.
  
  Passing it by the analysisd socket:

** Alert 1558001508.433434: - windows,windows_logs,windows_log_service_started,gpg13_10.1,
2019 May 16 12:11:48 (win) any->EventChannel
Rule: 63105 (level 5) -> 'The Event log service was started'
{"win":{"system":{"providerName":"Eventlog","eventID":"6005","level":"4","task":"0","keywords":"0x80000000000000","eventRecordID":"2492","channel":"System","severityValue":"INFORMATION","message":"Test"},"eventdata":{"binary":"E30705000400100009000800180004000000000000000000"}}}
win.system.providerName: Eventlog
win.system.eventID: 6005
win.system.level: 4
win.system.task: 0
win.system.keywords: 0x80000000000000
win.system.eventRecordID: 2492
win.system.channel: System
win.system.severityValue: INFORMATION
win.system.message: Test
win.eventdata.binary: E30705000400100009000800180004000000000000000000

• Channel: Application, Provider Name: chromoting (parent rule 60003)

** Alert 1558005360.550596: - windows,windows_application,gdpr_IV_32.2,
2019 May 16 13:16:00 (win) any->EventChannel
Rule: 60606 (level 5) -> 'Chrome Remote Desktop attempt - started connection from [email protected]'
{"win":{"system":{"providerName":"chromoting","eventID":"5","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2019-05-16T11:16:00.000000000Z","eventRecordID":"15958","channel":"Application","computer":"pcname","severityValue":"INFORMATION","message":"Host started for user: [email protected]."},"eventdata":{"data":"[email protected]"}}}
win.system.providerName: chromoting
win.system.eventID: 5
win.system.level: 4
win.system.task: 1
win.system.keywords: 0x80000000000000
win.system.systemTime: 2019-05-16T11:16:00.000000000Z
win.system.eventRecordID: 15958
win.system.channel: Application
win.system.computer: pcname
win.system.severityValue: INFORMATION
win.system.message: Host started for user: [email protected].
win.eventdata.data: [email protected]