You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Request to add support for more event log providers related to F-Secure alerts. The built-in support for F-Secure alerts consumes events from the "F-Secure Ultralight SDK" provider. My limited research shows that alerts are also found in the "F-Secure File scanning" and "FSecure-FSecure-F-Secure DeepGuard" providers. These alerts aren't detected by Chainsaw.
(Let me know if there is any good documentation about event ID:s and log providers used by F-Secure.)
The text was updated successfully, but these errors were encountered:
Further research shows that the "F-Secure Ultralight SDK" provider and the FSecureUltralightSDK.evtx file seem to be present since F-Secure v14. For earlier F-Secure versions you have to rely on the Application log and the F-Secure log providers mentioned above. F-Secure versions before v14 are now End of Life, but are sometimes found during investigations.
With v2.0.0-alpha.2 builtin rules have been extracted out of Chainsaw into rules. So if you have a list of Providers I can add them to the rule or if you have time would you be able to add them an raise a PR? (https://github.com/countercept/chainsaw/blob/next/rules/antivirus/f-secure.yml#L42) It should be noted though that if the field extraction is different, then I would add them as new rules.
As the features required are now exposed that there has been no response or progress with this issue I am going to resolve it out. It can be reopened if required.
Request to add support for more event log providers related to F-Secure alerts. The built-in support for F-Secure alerts consumes events from the "F-Secure Ultralight SDK" provider. My limited research shows that alerts are also found in the "F-Secure File scanning" and "FSecure-FSecure-F-Secure DeepGuard" providers. These alerts aren't detected by Chainsaw.
(Let me know if there is any good documentation about event ID:s and log providers used by F-Secure.)
The text was updated successfully, but these errors were encountered: