0lIvIa09
commented
1 week ago JSON of my alert in the screenshot, if it is of any help:
{
"_index": "wazuh-emcel_60",
"_id": "102a62dc-3215-11ef-bd7d-005056811c95",
"_version": 2,
"_score": null,
"_source": {
"data_win_eventdata_description": "Microsoft Visual Basic for Applications component",
"source_reserved_ip": true,
"data_win_system_eventRecordID": "9073725",
"data_win_eventdata_user": "xxxxxxx",
"agent_id": "513",
"agent_name": "xxxxxx",
"sha256": "3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8",
"gl2_remote_ip": "xxxxxx",
"data_win_system_eventID": "7",
"gl2_remote_port": 51606,
"agent_labels_customer": "xxxxx",
"source": "xxxxxx",
"gl2_source_input": "662a2224033da75fa13d93ce",
"rule_level": 12,
"data_win_eventdata_originalFileName": "VBEUI.DLL",
"data_win_eventdata_company": "Microsoft Corporation",
"gl2_processing_timestamp": "2024-06-24 10:32:31.870",
"data_win_system_task": "7",
"timestamp_utc": "2024-06-24T10:32:29.139Z",
"syslog_type": "wazuh",
"data_win_system_threadID": "5328",
"rule_description": "Office application loaded vbeui.dll module. May be used to execute scripting code",
"gl2_source_node": "ecb3ab62-be47-4e60-abf5-d32b2ecebbeb",
"id": "1719225151.4086613730",
"gl2_processing_duration_ms": 23,
"rule_mitre_tactic": "Execution",
"gl2_accounted_message_size": 6680,
"data_win_eventdata_utcTime": "2024-06-24 10:32:29.134",
"streams": [
"662a28af033da75fa13da435"
],
"rule_mitre_id": "T1059.005",
"gl2_message_id": "01J14WVWBY8JW0PQMMT7HAN1XC",
"data_win_system_computer": "xxxxxxx",
"agent_ip_reserved_ip": true,
"data_win_eventdata_ruleName": "technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript",
"data_win_eventdata_hashes": "SHA1=D70155A9BD340942076DAADB746A7D94FDC2A072,MD5=B55485E71DC79E10F03700320DC97713,SHA256=3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8,IMPHASH=600D48385BE8A9C50DFD74374738B514",
"data_win_eventdata_signature": "Microsoft Corporation",
"agent_ip": "xxxxx",
"data_win_eventdata_image": "C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE",
"true": 1719225151.512732,
"rule_groups": "sysmon, sysmon_eid7_detections, windows",
"data_win_system_keywords": "0x8000000000000000",
"data_win_system_level": "4",
"data_win_eventdata_fileVersion": "7.1.16.17628",
"data_win_eventdata_signed": "true",
"process_id": "13696",
"gl2_receive_timestamp": "2024-06-24 10:32:31.847",
"data_win_system_severityValue": "INFORMATION",
"data_win_eventdata_processGuid": "{34a2903e-4b3a-6679-220e-000000000401}",
"rule_mitre_technique": "Visual Basic",
"rule_firedtimes": 10,
"data_win_system_systemTime": "2024-06-24T10:32:29.1393916Z",
"rule_mail": true,
"decoder_name": "windows_eventchannel",
"data_win_system_processID": "3396",
"data_win_system_channel": "Microsoft-Windows-Sysmon/Operational",
"syslog_level": "ALERT",
"data_win_system_providerName": "Microsoft-Windows-Sysmon",
"data_win_eventdata_processId": "13696",
"data_win_system_version": "3",
"data_win_system_providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"timestamp": "2024-06-24 10:32:31.870",
"cluster_name": "wazuh",
"data_win_system_opcode": "0",
"gl2_processing_error": "Replaced invalid timestamp value in message <102a62dc-3215-11ef-bd7d-005056811c95> with current time - Value <2024-06-24T10:32:31.445+0000> caused exception: Invalid format: \"2024-06-24T10:32:31.445+0000\" is malformed at \"T10:32:31.445+0000\".",
"message": "{\"true\":1719225151.512732,\"timestamp\":\"2024-06-24T10:32:31.445+0000\",\"rule\":{\"level\":12,\"description\":\"Office application loaded vbeui.dll module. May be used to execute scripting code\",\"id\":\"92156\",\"mitre\":{\"id\":[\"T1059.005\"],\"tactic\":[\"Execution\"],\"technique\":[\"Visual Basic\"]},\"firedtimes\":10,\"mail\":true,\"groups\":[\"sysmon\",\"sysmon_eid7_detections\",\"windows\"]},\"agent\":{\"id\":\"513\",\"name\":\"xxxxxxx\",\"ip\":\"xxxxxx\",\"labels\":{\"customer\":\"xxxxxx\"}},\"manager\":{\"name\":\"wazuh-worker2\"},\"id\":\"1719225151.4086613730\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"wazuh-worker2\"},\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"7\",\"version\":\"3\",\"level\":\"4\",\"task\":\"7\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-06-24T10:32:29.1393916Z\",\"eventRecordID\":\"9073725\",\"processID\":\"3396\",\"threadID\":\"5328\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"xxxxxxx\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Image loaded:\\r\\nRuleName: technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript\\r\\nUtcTime: 2024-06-24 10:32:29.134\\r\\nProcessGuid: {34a2903e-4b3a-6679-220e-000000000401}\\r\\nProcessId: 13696\\r\\nImage: C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE\\r\\nImageLoaded: C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX86\\\\Microsoft Shared\\\\VBA\\\\VBA7.1\\\\VBEUI.DLL\\r\\nFileVersion: 7.1.16.17628\\r\\nDescription: Microsoft Visual Basic for Applications component\\r\\nProduct: Microsoft Visual Basic for Applications\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: VBEUI.DLL\\r\\nHashes: SHA1=D70155A9BD340942076DAADB746A7D94FDC2A072,MD5=B55485E71DC79E10F03700320DC97713,SHA256=3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8,IMPHASH=600D48385BE8A9C50DFD74374738B514\\r\\nSigned: true\\r\\nSignature: Microsoft Corporation\\r\\nSignatureStatus: Valid\\r\\nUser: xxxxxxx\\\\xxxxx\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript\",\"utcTime\":\"2024-06-24 10:32:29.134\",\"processGuid\":\"{34a2903e-4b3a-6679-220e-000000000401}\",\"processId\":\"13696\",\"image\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office16\\\\\\\\EXCEL.EXE\",\"imageLoaded\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\vfs\\\\\\\\ProgramFilesCommonX86\\\\\\\\Microsoft Shared\\\\\\\\VBA\\\\\\\\VBA7.1\\\\\\\\VBEUI.DLL\",\"fileVersion\":\"7.1.16.17628\",\"description\":\"Microsoft Visual Basic for Applications component\",\"product\":\"Microsoft Visual Basic for Applications\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"VBEUI.DLL\",\"hashes\":\"SHA1=D70155A9BD340942076DAADB746A7D94FDC2A072,MD5=B55485E71DC79E10F03700320DC97713,SHA256=3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8,IMPHASH=600D48385BE8A9C50DFD74374738B514\",\"signed\":\"true\",\"signature\":\"Microsoft Corporation\",\"signatureStatus\":\"Valid\",\"user\":\"xxxxxxxx\\\\\\\\xxxxxxxx\"}}},\"location\":\"EventChannel\"}",
"data_win_eventdata_signatureStatus": "Valid",
"rule_id": "92156",
"hash_sha256": "SHA256=3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8",
"manager_name": "wazuh-worker2",
"data_win_eventdata_imageLoaded": "C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX86\\\\Microsoft Shared\\\\VBA\\\\VBA7.1\\\\VBEUI.DLL",
"cluster_node": "wazuh-worker2",
"location": "EventChannel",
"rule_group3": "windows",
"data_win_system_message": "\"Image loaded:\r\nRuleName: technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript\r\nUtcTime: 2024-06-24 10:32:29.134\r\nProcessGuid: {34a2903e-4b3a-6679-220e-000000000401}\r\nProcessId: 13696\r\nImage: C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE\r\nImageLoaded: C:\\Program Files (x86)\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL\r\nFileVersion: 7.1.16.17628\r\nDescription: Microsoft Visual Basic for Applications component\r\nProduct: Microsoft Visual Basic for Applications\r\nCompany: Microsoft Corporation\r\nOriginalFileName: VBEUI.DLL\r\nHashes: SHA1=D70155A9BD340942076DAADB746A7D94FDC2A072,MD5=B55485E71DC79E10F03700320DC97713,SHA256=3F1A444C47F3D8050ACA60466BE628EFE60B9A7107CFF4BDC3828ADAD055FCF8,IMPHASH=600D48385BE8A9C50DFD74374738B514\r\nSigned: true\r\nSignature: Microsoft Corporation\r\nSignatureStatus: Valid\r\nUser: xxxxxxx\\xxxxxx\"",
"msg_timestamp": "2024-06-24T10:32:31.445Z",
"rule_group2": "sysmon_eid7_detections",
"data_win_eventdata_product": "Microsoft Visual Basic for Applications",
"rule_group1": "sysmon",
"alert_url": "https://xxxxxxx/alerts?cid=1&page=1&per_page=10&sort=desc&alert_ids=3199"
},
"fields": {
"gl2_receive_timestamp": [
"2024-06-24T10:32:31.847Z"
],
"data_win_system_systemTime": [
"2024-06-24T10:32:29.139Z"
],
"gl2_processing_timestamp": [
"2024-06-24T10:32:31.870Z"
],
"timestamp_utc": [
"2024-06-24T10:32:29.139Z"
],
"msg_timestamp": [
"2024-06-24T10:32:31.445Z"
],
"timestamp": [
"2024-06-24T10:32:31.870Z"
]
}
taylorwalton
Describe the bug I realised after purchasing the process analysis licenced feature, that my SOC alerts don't include all the information like in Taylor's video. However, when I create a SOC alert from the Alerts tab it populates as expected, so it seems to only be the alerts that are automatically created by Copilot that are having this issue. Due to the alerts not fully populating, the process analysis licenced feature doesn't work either. I am on the latest version of Copilot.
To Reproduce Steps to reproduce the behavior:
Expected behavior For all SOC alerts created to include the rest of the information, like seen in the screenshot below.
Screenshots The image below is a screenshot from Taylor's video.
The image below is one of my SOC alerts created an hour ago.