Need help > IIS Rules
93 views
Skip to first unread message
Bruno Ignacio Diaz
Jan 2, 2023, 12:43:29 PM1/2/23
to Wazuh mailing list
Hi! We need some help with our wazuh configuration
We now have a rule to read exchange logs on port 500 but we also need another rule to read port 200 logs. I can give you the next log as an example:
2023-01-02 03:03:35 fe80::6c77:5857:a500:a652%5 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.3866&sessionID=Version_15.1_(Build_2307.0)=rJqNiZqNgZqHnJfSm56LntLPzdGVioyLlpyWnoyekZOKlozRmJCJ0Z6Ngc7Gy83PyczMycuBzc/NzNLPztLPzavPzMXOzMXMyg==&CorrelationID=<empty>;&cafeReqId=906f8afa-1fee-45d3-8a13-a71bb17c1f8b; 80 - fe80::6c77:5857:a500:a652%5 Microsoft+WinRM+Client - 200 0 0 10
We also need help creating an alert that sends an email when the log has the next line
powershell.autodiscover\.json.\@.*200
We now have a rule to read exchange logs on port 500 but we also need another rule to read port 200 logs. I can give you the next log as an example:
2023-01-02 03:03:35 fe80::6c77:5857:a500:a652%5 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.3866&sessionID=Version_15.1_(Build_2307.0)=rJqNiZqNgZqHnJfSm56LntLPzdGVioyLlpyWnoyekZOKlozRmJCJ0Z6Ngc7Gy83PyczMycuBzc/NzNLPztLPzavPzMXOzMXMyg==&CorrelationID=<empty>;&cafeReqId=906f8afa-1fee-45d3-8a13-a71bb17c1f8b; 80 - fe80::6c77:5857:a500:a652%5 Microsoft+WinRM+Client - 200 0 0 10
We also need help creating an alert that sends an email when the log has the next line
powershell.autodiscover\.json.\@.*200
If you can help us, it would be great! Thanks in advance! :D
Roman Luna
Jan 2, 2023, 3:19:08 PM1/2/23
to Wazuh mailing list
Hi,
If you already have a rule for the port 500 and the log is similar, you can make a rule changing only the part where the log is different.
To do the rule, first it is needed to be decoded correctly, do you already have a decoder for this log? can you share it with me?
This is to know what has been already done and what could be the best possible outcome taking into account both ports.
Additionally, you can make email alerts based on rule id or groups as per the following:
Also, you should take into account the global options from email, remember that you need to have your own SMTP server:
Creating Decoders and Rules
Here is documentation related to how to create this that you might find helpful,
Regards.
Reply all
Reply to author
Forward
0 new messages