Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Windows EventChannel field #299

Merged
merged 6 commits into from Feb 26, 2019
Merged

Remove Windows EventChannel field #299

merged 6 commits into from Feb 26, 2019

Conversation

cristgl
Copy link
Contributor

@cristgl cristgl commented Feb 25, 2019

This PR removes the EventChannel field from the rules. This is the related PR: wazuh/wazuh#2680

chemamartinez
chemamartinez suggested changes Feb 26, 2019
View reviewed changes
rules/0220-msauth_rules.xml
<description>Windows warning event</description>
<options>no_full_log</options>
<group>gpg13_4.12,</group>
</rule>

<!--{"EventChannel":{"System":{"ProviderName":"NetBT","EventID":"4321","Level":"2","Task":"0","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:40.107861400Z","EventRecordID":"1701","Channel":"System","Computer":"qnu","SeverityValue":"ERROR","Message":"Le nom \\\"WORKGROUP :1d\\\" n’a pas pu être enregistré sur l’interface avec l’adresse IP 10.0.2.15. L’ordinateur avec l’adresse IP 10.0.2.2 n’a pas permis que le nom soit réclamé par cet ordinateur."},"EventData":{"Data":"","Data":"WORKGROUP :1d","Data":"10.0.2.15","Data":"10.0.2.2","Binary":"00000000040032000000000E11000C001010000010000C029000000000000000000000000000000"}}}-->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The event example is outdated.

rules/0220-msauth_rules.xml Outdated
<options>alert_by_email</options>
<description>Windows: Application Uninstalled $(EventChannel.EventData.Data)</description>
<description>Windows: Application Uninstalled $(eventData.data)</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is wrong -> win.eventdata.data

rules/0220-msauth_rules.xml Outdated
<options>alert_by_email</options>
<description>Windows: Application Installed $(EventChannel.EventData.Data)</description>
<description>Windows: Application Installed $(eventData.data)</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

win.eventdata.data

rules/0220-msauth_rules.xml Outdated
<field name="EventChannel.System.EventID">^632$|^4728$</field>
<description>Windows: Security Enabled Global Group Member Added $(EventChannel.EventData.MemberSid)</description>
<field name="win.system.eventID">^632$|^4728$</field>
<description>Windows: Security Enabled Global Group Member Added $(eventData.memberSid)</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

win.eventdata.memberSid and the same for the below descriptions as well

rules/0220-msauth_rules.xml Outdated
<description>Chrome Remote Desktop attempt - access denied $(EventChannel.EventData.Data)</description>
<field name="win.system.providerName">chromoting</field>
<field name="win.system.message">\.*Access denied for client</field>
<description>Chrome Remote Desktop attempt - access denied $(eventData.data)</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

win.eventdata.data

rules/0220-msauth_rules.xml Outdated
<options>no_full_log</options>
<group>gdpr_IV_32.2,</group>
</rule>

<!--{"EventChannel":{"System":{"ProviderName":"chromoting","EventID":"5","Level":"4","Task":"1","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:48.000000000Z","EventRecordID":"1801","Channel":"Application","Computer":"qnu","SeverityValue":"INFORMATION","Message":"Hôte démarré pour l'utilisateur \\\"tinamay299@gmail.com\\\""},"EventData":{"Data":"user@gmail.com"}}}-->
<!--{"System":{"ProviderName":"chromoting","EventID":"5","Level":"4","Task":"1","Keywords":"0x80000000000000","SystemTime":"2018-12-18T10:55:48.000000000Z","EventRecordID":"1801","Channel":"Application","Computer":"qnu","SeverityValue":"INFORMATION","Message":"Hôte démarré pour l'utilisateur \\\"tinamay299@gmail.com\\\""},"EventData":{"Data":"user@gmail.com"}}-->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example event

rules/0430-ms_wdefender_rules.xml Outdated
<description>Windows Defender messages grouped</description>
<options>no_full_log</options>
</rule>

<!--
{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1116","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"hffg","Message":"Windows Defender has detected malware or other potentially unwanted software.","SeverityValue":"WARNING"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}}
{"System":{"ProviderName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1116","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"hffg","Message":"Windows Defender has detected malware or other potentially unwanted software.","SeverityValue":"WARNING"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example event

rules/0435-ms_logs_rules.xml Outdated
@@ -40,33 +40,33 @@
</rule>

<!--
{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Eventlog","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1102","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Eventlog","Computer":"hffg","Message":"The audit log was cleared.","SeverityValue":"INFORMATION"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}}
{"System":{"ProviderName":"Microsoft-Windows-Eventlog","ProviderGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","EventSourceName":"Microsoft-Windows-Eventlog","EventID":"1102","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x8080000000000000","SystemTime":"2018-11-27T13:03:51.594213100Z","EventRecordID":"8453","Correlation":"","ProcessID":"608","ThreadID":"1296","Channel":"Microsoft-Windows-Eventlog","Computer":"hffg","Message":"The audit log was cleared.","SeverityValue":"INFORMATION"},"EventData":{"SubjectUserSid":"S-1-5-21-571","SubjectUserName":"HFFG$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TransactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","NewState":"52","ResourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","ProcessId":"0x3f8","ProcessName":"C:\\Windows\\System32\\svchost.exe"}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example event

@chemamartinez chemamartinez merged commit 75346c1 into 3.9 Feb 26, 2019
@chemamartinez chemamartinez deleted the 3.9-winevt-replace branch February 26, 2019 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cristgl @chemamartinez