wolle604
commented
8 months ago Hey, please provide an example of the
Open senrabdet opened 10 months ago
wolle604
commented
8 months ago Hey, please provide an example of the
Hi All, not sure this is the right place to post this, but for some time have been (on and off) trying to get various rules to work in Ossec, both custom and some of the canned. E.g., for windows there is a set of rules on my debian server for windows defender (windows security essentials) in /var/ossec/rules//ms-se_rules.xml. As best I can tell, these aren't getting used/fired. I've tried to add a custom decoder to work with them (wasn't sure that was even needed). To test this, I cause a fake Eicar virus alert on a windows test machine. On that windows machine, defender detects the virus, cleans it, and creates events in the event log under the "Microsoft-Windows-Windows Defender/Operationa" channel. However, the event does not seem to show up in my archives.log (nor the alerts.log) though I am getting various alerts in the archives.log for authentication types of events with the alerts part of ossec.conf set to 1. Am assuming this is all "user knowledge" types of problems, though the bing AI tool suggested that these security essentials (a tool retired some years go/changed to Windows Defender) rules no longer work though in looking at them the rules content in the xml file would seem to still apply to defender which is (my understanding) the current offspring of the older security essentials. I can provide logs and config etc (I've not gotten the log test to help yet), though am initially wondering if help is available and what might be helpful to lookin in, share etc? Hoping for some gentle help...Thx.