Decoder for FortiEDR

[Fidel]

This is a example of log from FortiEDR, the idea is to extract date, time, devname, device name, process path, severity and rules list. Somebody can help me to make the decoder, I'm triying with https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ but I can't.

2023 Aug 23 00:00:11 WZHA094HP01->10.94.94.11 date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218

Thanks.

[Sandra Ocando]

Hello Fidel,Here are some decoders for your log. For this type of log that contains variables that can change in order or that may not always be present, it's a good idea to use sibling decoders. Note that each decoder searches for a field, for example, "Device name:", regardless of its order of appearance.
I've included the fields you mentioned in your message: date, time, devname, Device Name, Process Path, Severity and Rules List. You can easily add more fields by creating analogous decoders.You can add these decoders to /var/ossec/etc/decoders/local_decoder.xml or create a separate decoder file for them.Note that to create and test your decoders, you should remove the following header: 2023 Aug 23 00:00:11 WZHA094HP01->10.94.94.11 as this is added by Wazuh but is not part of the original message.

<decoder name="FortiEDR">
  <prematch>FortiEDR</prematch>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>date=(\.*)\s\w+=|date=(\.*)$</regex>
  <order>date</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>time=(\.*)\s\w+=|time=(\.*)$</regex>
  <order>time</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>devname=(\.*)\s\w+=|devname=(\.*)$</regex>
  <order>devname</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>Device Name:(\.*);|Device Name:(\.*)$</regex>
  <order>Device_Name</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>Process Path:(\.*);|Process Path:(\.*)$</regex>
  <order>Process_Path</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>Severity:(\.*);|Severity:(\.*)$</regex>
  <order>Severity</order>
</decoder>

<decoder name="FortiEDR">
  <parent>FortiEDR</parent>
  <regex>Rules List:(\.*);|Rules List:(\.*)$</regex>
  <order>Rules_List</order>
</decoder>

Once you edited your decoders, you can test them using /var/ossec/bin/wazuh-logtest:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.1
Type one log per line

date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218"

**Phase 1: Completed pre-decoding.
	full event: 'date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218"'

**Phase 2: Completed decoding.
	name: 'FortiEDR'
	Device_Name: ' WEBA162HP09'
	Process_Path: ' \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
	Rules_List: ' Suspicious Application - Connection Attempt from a Suspicious Application'
	Severity: ' High'
	date: '2023-08-22'
	devname: '"SYSLOG-FortiEDR"'
	time: '23:00:06'

After testing your rules and decoders with wazuh-logtest, remember to restart your manager to apply these changes to future alerts.
Let us know if you have any questions.

Best regards,

Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/07eabcb7-5fb9-4b6a-bd10-e72006205c6fn%40googlegroups.com.

[Fidel]

Thank you. Just I need to make a rule which triggers an alert every time a FortiEDR log is received and in function of severity: Low, Medium or High define the level of the alert, as example: Low - 3, Medium - 6 and High - 9.

[Sandra Ocando]

Hello,I've created some rules based on the level of severity. Note that there's a parent rule to group all events decoded as FortiEDR and the corresponding child rules to differentiate according to the event's severity.The rule description includes the event severity followed by the rules list, for example, "'High severity FortiEDR event:  Suspicious Application - Connection Attempt from a Suspicious Application". You can change the description and customize these rules according to your needs.

<group name="FortiEDR,">

  <rule id="100200" level="0">
    <decoded_as>FortiEDR</decoded_as>
    <description>FortiEDR messages grouped.</description>
  </rule>

  <rule id="100201" level="3">
    <if_sid>100200</if_sid>
    <field name="Severity">Low</field>
    <description>Low severity FortiEDR event: $(Rules_List)</description>
  </rule>

  <rule id="100202" level="6">
    <if_sid>100200</if_sid>
    <field name="Severity">Medium</field>
    <description>Medium severity FortiEDR event: $(Rules_List)</description>
  </rule>

  <rule id="100203" level="9">
    <if_sid>100200</if_sid>
    <field name="Severity">High</field>
    <description>High severity FortiEDR event: $(Rules_List)</description>
  </rule>

</group>

You can add these rules in /var/ossec/etc/rules/local_rules.xml or you can create a dedicated file if you prefer. Remember to restart your Wazuh manager to apply changes.Here's the result of using wazuh-logtest with the original log you shared:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.1
Type one log per line

date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218"

**Phase 1: Completed pre-decoding.
	full event: 'date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp

\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218"'

**Phase 2: Completed decoding.
	name: 'FortiEDR'
	Device_Name: ' WEBA162HP09'
	Process_Path: ' \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
	Rules_List: ' Suspicious Application - Connection Attempt from a Suspicious Application'
	Severity: ' High'
	date: '2023-08-22'
	devname: '"SYSLOG-FortiEDR"'
	time: '23:00:06'

**Phase 3: Completed filtering (rules).
	id: '100203'
	level: '9'
	description: 'High severity FortiEDR event:  Suspicious Application - Connection Attempt from a Suspicious Application'
	groups: '['FortiEDR']'
	firedtimes: '1'
	mail: 'False'
**Alert to be generated.

Let us know if you have any questions.
Best regards,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/031a4a9f-6b90-43fa-ab25-1d729b53a678n%40googlegroups.com.

[Fidel]

Thanks.

[Fidel]

I have a question related to another topic. How I can receive logs from two different ports? I want to add 10.94.94.21/24 port 515.

<remote>
    <connection>syslog</connection>
    <port>513</port>
    <protocol>tcp</protocol>
    <allowed-ips>10.94.94.11/24</allowed-ips>
  </remote>

Thanks.

[Sandra Ocando]

Hello Fidel,
Yes, you can receive logs from two different ports. To set this up, simply add another remote stanza with the desired port, for example, 515:

<remote>
  <connection>syslog</connection>
  <port>515</port>
  <protocol>tcp</protocol>
  <allowed-ips>10.94.94.11/24</allowed-ips>
</remote>

After making this configuration change, don't forget to restart your Wazuh manager for the changes to take effect.
Feel free to reach out if you have any further questions.
Cheers,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0bfcb973-f1b1-4c16-8944-607798c54482n%40googlegroups.com.

[Fidel]

I'm triying to decode a log from FortiClient but I don't know how to extract some fields. The fields are date, devname, source_type, msg. And the problem is on Computer field.

2023 Aug 29 00:00:03 WZHA094HP01->10.94.94.11 date=2023-08-28 time=20:39:46 timestamp=1693258786 devname="devicename" devid="deviceid" fctuid="26E602440F3C4E0D99A1661446BB8CE4" source="win" source_ver="10" source_type="Windows Events" msg="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='nhi'/><EventID Qualifiers='16388'>9007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2023-08-28T21:39:36.4682735Z'/><EventRecordID>496714</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15524'/><Channel>System</Channel><Computer>computername</Computer><Security/></System><EventData><Data></Data><Binary>0000000001000000000000002F230440000000000000000000000000000000000000000000000000</Binary></EventData></Event>" tz="-0100"

Thanks.

[Sandra Ocando]

Hi Fidel,

Would you mind sharing your decoders so I can test them in my lab environment?

What kind of problems are you facing with the computer field? Would you like to extract some fields from the msg field?

Looking forward to your answer.
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b3bd1825-4313-4ad4-9240-216b470aab83n%40googlegroups.com.

[Fidel]

Yes, I want to extract  just  <Computer>computername</Computer> what in the computer field. I don't know how to extract this field.

<decoder name="FortiClient">
  <prematch>devicename</prematch>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>

  <regex>date=(\.*)\s\w+=|date=(\.*)$</regex>
  <order>date</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>

  <regex>time=(\.*)\s\w+=|time=(\.*)$</regex>
  <order>time</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>

  <regex>devname=(\.*)\s\w+=|devname=(\.*)$</regex>
  <order>devname</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>source_type=(\.*)\s\w+=|source_type=(\.*)$</regex>
  <order>source_type</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex><Computer>(\.*)</Computer>$</regex>
  <order>Computer</order>
</decoder>

Thanks.

[Sandra Ocando]

Hello,

As the <computer> field contains special characters, you need to adapt your regex accordingly. You should escape the < character by adding a backslash \ in front of it. To match the > character, you can use the \p expression.

A possible expression for extracting the computer name is:

 <regex>\<Computer\p(\.*)\</Computer\p</regex> 

To learn more, see the Regex (OS_Regex) syntax reference.

Here are your decoders with the modification for extracting the computer name:

<decoder name="local_decoder_example">
    <program_name>local_decoder_example</program_name>
</decoder>

<decoder name="FortiClient">
  <prematch>devicename</prematch>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>date=(\.*)\s\w+=|date=(\.*)$</regex>
  <order>date</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>time=(\.*)\s\w+=|time=(\.*)$</regex>
  <order>time</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>devname=(\.*)\s\w+=|devname=(\.*)$</regex>
  <order>devname</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>source_type=(\.*)\s\w+=|source_type=(\.*)$</regex>
  <order>source_type</order>
</decoder>

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>\<Computer\p(\.*)\</Computer\p</regex>
  <order>Computer</order>
</decoder>

And here's the result of testing your log with the modified decoders:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.1
Type one log per line

2023 Aug 29 00:00:03 WZHA094HP01->10.94.94.11 date=2023-08-28 time=20:39:46 timestamp=1693258786 devname="devicename" devid="deviceid" fctuid="26E602440F3C4E0D99A1661446BB8CE4" source="win" source_ver="10" source_type="Windows Events" msg="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='nhi'/><EventID Qualifiers='16388'>9007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2023-08-28T21:39:36.4682735Z'/><EventRecordID>496714</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15524'/><Channel>System</Channel><Computer>computername</Computer><Security/></System><EventData><Data></Data><Binary>0000000001000000000000002F230440000000000000000000000000000000000000000000000000</Binary></EventData></Event>" tz="-0100"

**Phase 1: Completed pre-decoding.
	full event: '2023 Aug 29 00:00:03 WZHA094HP01->10.94.94.11 date=2023-08-28 time=20:39:46 timestamp=1693258786 devname="devicename" devid="deviceid" fctuid="26E602440F3C4E0D99A1661446BB8CE4" source="win" source_ver="10" source_type="Windows Events" msg="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='nhi'/><EventID Qualifiers='16388'>9007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2023-08-28T21:39:36.4682735Z'/><EventRecordID>496714</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15524'/><Channel>System</Channel><Computer>computername</Computer><Security/></System><EventData><Data></Data><Binary>0000000001000000000000002F230440000000000000000000000000000000000000000000000000</Binary></EventData></Event>" tz="-0100"'
	timestamp: '2023 Aug 29 00:00:03'

**Phase 2: Completed decoding.
	name: 'FortiClient'
	Computer: 'computername'
	date: '2023-08-28'
	devname: '"devicename"'
	source_type: '"Windows Events"'
	time: '20:39:46'

Let us know if this solves your issue.
Cheers,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cb499502-3901-4fb4-b3e9-1999bf57dc06n%40googlegroups.com.

[Fidel]

I have another question. I created this decoder for Extrahop but didn't match in the decoder fase. 

<decoder name="ExtraHop">
  <prematch>ExtraHop</prematch>
</decoder>

<decoder name="ExtraHop">
  <parent>ExtraHop</parent>
  <regex>\d+(\d+-\d+-\d+\w+\d+:\d+:\d+.\d+\p\d+:\d+) </regex>
  <order>log_timestamp</order>
</decoder>

<decoder name="ExtraHop">
  <parent>ExtraHop</parent>
  <regex>(\d+)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|</regex>
  <order>CEFversion,Vendor,Product,ProductVersion,EventID,EventName,EventSeverity</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cn1=(\.*)\s\w+=|cn1=(\.*)$</regex>
   <order>cn1</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cn1Label=(\.*)\s\w+=|cn1Label=(\.*)$</regex>
   <order>cn1Label</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cn2=(\.*)\s\w+=|cn2=(\.*)$</regex>
   <order>cn2</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cn2Label=(\.*)\s\w+=|cn2Label=(\.*)$</regex>
   <order>cn2Label</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cs1=(\.*)\s\w+=|cs1=(\.*)$</regex>
   <order>cs1</order>
</decoder>

<decoder name="ExtraHop">
   <parent>ExtraHop</parent>
   <regex>cs1Label=(\.*)\s\w+=|cs1Label=(\.*)$</regex>
   <order>cs1Label</order>
</decoder>

2023-09-05T22:10:47.623Z 10.94.94.21 CEF:0|ExtraHop|Reveal(x)|8.6|1|SMBv1 Connection|3|cn2=30 cn2Label=riskScore cs1=https://10.94.94.21/extrahop/#/detections/detail/16943 cs1Label=detectionURL cs2=sec,sec.hardening cs2Label=category cs3=16943 cs3Label=detectionIDstring rt=2023-08-29T22:07:48.201Z end=2023-08-29T22:07:48.201Z start=2023-08-15T22:37:01.382Z src=00:15:5D:A0:19:5E msg=[alc0025vlp.company](#/metrics/devices/83101f5dacfb4183b23e1484fd0c494e.00155da0195e0000/overview?from\=1692139021&interval_type\=DT&until\=1693346868) established a Server Message Block (SMB) connection with the SMBv1 dialect. This deprecated dialect of the SMB/CIFS protocol is known to be vulnerable to attacks.

Thanks.

[Fidel]

It appears an error using the expression<regex>\<Computer\p(\.*)\</Computer\p</regex>. If for you works, you can send me the .xml

[Sandra Ocando]

I'm attaching the decoder file. If you continue to encounter the error, please provide additional details so we can assist with troubleshooting.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/225d64e7-2f30-48e9-ba2e-ed29ad89e10en%40googlegroups.com.

[Fidel]

It doesn't work. There is an error on the xml syntax. About Extrahop, any idea? 

[Sandra Ocando]

This is a known limitation when working with the visual rule and decoder editor. Try adding the file directly to /var/ossec/etc/decoders/ and let us know how it goes.

Alternative, you may use the \p expression instead of \< :

<decoder name="FortiClient">
  <parent>FortiClient</parent>
  <regex>\pComputer\p(\.*)\p/Computer\p</regex>
  <order>Computer</order>
</decoder>

Regarding the ExtraHop decoder, I'll work on it as soon as I can and get back to you.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e9049291-620e-4301-8021-9f5d29462270n%40googlegroups.com.

[Fidel]

Ok, it's all working, extrahop too.

Thanks.