From a43cf2f642e07575a719181d79ad74cf39206ad2 Mon Sep 17 00:00:00 2001
From: Javier Botella <javier.botella@polyswarm.io>
Date: Thu, 4 Jun 2020 20:12:19 +0200
Subject: [PATCH 1/2] PolySwarm Integration

---
 rules/0690-polyswarm_rules.xml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/0690-polyswarm_rules.xml

diff --git a/rules/0690-polyswarm_rules.xml b/rules/0690-polyswarm_rules.xml
new file mode 100644
index 000000000..3bafcfd51
--- /dev/null
+++ b/rules/0690-polyswarm_rules.xml
@@ -0,0 +1,35 @@
+<group name="polyswarm,syscheck,">
+    <rule id="101000" level="0">
+        <decoded_as>json</decoded_as>
+        <field name="integration">custom-polyswarm</field>
+        <description>Polyswarm integration messages.</description>
+        <options>no_full_log</options>
+    </rule>
+    <rule id="101001" level="3">
+        <if_sid>101000</if_sid>
+        <field name="polyswarm.error">1</field>
+        <description>PolySwarm: Error with Endpoint</description>
+        <group>gdpr_IV_35.7.d,</group>
+        <options>no_full_log</options>
+    </rule>
+    <rule id="101002" level="3">
+        <if_sid>101000</if_sid>
+        <field name="polyswarm.found">0</field>
+        <description>PolySwarm: Alert - File not found in PolySwarm</description>
+        <options>no_full_log</options>
+    </rule>
+    <rule id="101003" level="3">
+        <if_sid>101000</if_sid>
+        <field name="polyswarm.found">1</field>
+        <field name="polyswarm.malicious">0</field>
+        <description>PolySwarm: Alert - $(polyswarm.source.file) - No positives found</description>
+        <options>no_full_log</options>
+    </rule>
+    <rule id="101004" level="3">
+        <if_sid>101000</if_sid>
+        <field name="polyswarm.malicious">1</field>
+        <description>PolySwarm: Alert - $(polyswarm.source.file) - $(polyswarm.positives) engines detected this file</description>
+        <group>gdpr_IV_35.7.d,</group>
+        <options>no_full_log</options>
+    </rule>
+</group>

From 76920a340dfd9f4bcdcc50175693cf1a09a1e855 Mon Sep 17 00:00:00 2001
From: Javier Botella <javier.botella@polyswarm.io>
Date: Mon, 29 Jun 2020 13:29:45 +0200
Subject: [PATCH 2/2] updated rules id

---
 rules/0690-polyswarm_rules.xml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/rules/0690-polyswarm_rules.xml b/rules/0690-polyswarm_rules.xml
index 3bafcfd51..e999e4c9a 100644
--- a/rules/0690-polyswarm_rules.xml
+++ b/rules/0690-polyswarm_rules.xml
@@ -1,32 +1,32 @@
 <group name="polyswarm,syscheck,">
-    <rule id="101000" level="0">
+    <rule id="91000" level="0">
         <decoded_as>json</decoded_as>
         <field name="integration">custom-polyswarm</field>
         <description>Polyswarm integration messages.</description>
         <options>no_full_log</options>
     </rule>
-    <rule id="101001" level="3">
-        <if_sid>101000</if_sid>
+    <rule id="91001" level="3">
+        <if_sid>91000</if_sid>
         <field name="polyswarm.error">1</field>
         <description>PolySwarm: Error with Endpoint</description>
         <group>gdpr_IV_35.7.d,</group>
         <options>no_full_log</options>
     </rule>
-    <rule id="101002" level="3">
-        <if_sid>101000</if_sid>
+    <rule id="91002" level="3">
+        <if_sid>91000</if_sid>
         <field name="polyswarm.found">0</field>
         <description>PolySwarm: Alert - File not found in PolySwarm</description>
         <options>no_full_log</options>
     </rule>
-    <rule id="101003" level="3">
-        <if_sid>101000</if_sid>
+    <rule id="91003" level="3">
+        <if_sid>91000</if_sid>
         <field name="polyswarm.found">1</field>
         <field name="polyswarm.malicious">0</field>
         <description>PolySwarm: Alert - $(polyswarm.source.file) - No positives found</description>
         <options>no_full_log</options>
     </rule>
-    <rule id="101004" level="3">
-        <if_sid>101000</if_sid>
+    <rule id="91004" level="3">
+        <if_sid>91000</if_sid>
         <field name="polyswarm.malicious">1</field>
         <description>PolySwarm: Alert - $(polyswarm.source.file) - $(polyswarm.positives) engines detected this file</description>
         <group>gdpr_IV_35.7.d,</group>