jesuslinares
commented
7 years ago Hi,
we have decoders for the following Sysmon events: 1, 2, 3, 4 ,5 ,6 ,7, 8, 11 y 15.
Example:
**Phase 2: Completed decoding.
decoder: 'windows'
id: '1'
sysmon.processGuid: '{DB577E3B-9C44-58DB-0000-0010B0983A00}'
sysmon.processId: '3784'
sysmon.image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
sysmon.commandLine: '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Alberto\Desktop\test.ps1"'
sysmon.currentDirectory: 'C:\Users\Alberto\Desktop\'
srcuser: 'WIN-P57C9KN929H\Alberto'
sysmon.logonGuid: '{DB577E3B-89E5-58DB-0000-0020CB290500}'
sysmon.logonId: '0x529cb'
sysmon.terminalSessionId: '1'
sysmon.integrityLevel: 'Medium'
sysmon.hashes: '92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7'
sysmon.parentProcessGuid: '{DB577E3B-89E6-58DB-0000-0010FA3B0500}'
sysmon.parentProcessId: '2308'
sysmon.parentImage: 'C:\Windows\explorer.exe'
**Phase 3: Completed filtering (rules).
Rule id: '184665'
Level: '0'
Description: 'Sysmon - Event 1'If you want to edit/add a sysmon decoder, you must to do it in https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml#L200. The order must be:
- Parent decoder for windows
- Sysmon decoders
- Generic decoder for windows
You can use the dynamic fields using this syntax: https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0330-sysmon_rules.xml#L127. Also, if the field is extracted as a static field, you can use the traditional syntax: \<id>, \<data>, \<srcip>, etc.
More info: https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Regards.
gjahchan
Dynamic decoders refuse to work on Sysmon events. Something as simple as:
\
\windows\
\windows\
\INFORMATION\(\d+\): Microsoft-Windows-(Sysmon): \S+: .+: \S+: (.+):\s+\
\evt_subtype,evt_detail\
\
fails store any values in evt_subtype and in evt_detail.
Non-dynamic decoded values are not usable for regex or match in rules.