Hi! I want to generate an alert for a windows 16 server endpoint for an ssh login. So I am getting the logs in the archive index decoded via the default json decoder as shown in the picture attached. The logtest shows that no parent rule is being triggered for such event. The configuration at agent side is:
<localfile>
<location>OpenSSH/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
The rule I wrote is given below:
<group name="win_server_16">
<rule id="100411" level="5">
<if_sid>60000</if_sid>
<!-- <field name="win.system.providerName">OpenSSH$</field> -->
<!-- <location>EventChannel</location> -->
<field name="win.system.channel">^OpenSSH/Operational$</field>
<!-- <field name="win.system.providerName">^OpenSSH$</field> -->
<!-- <field name="win.eventdata.process">^sshd$</field> -->
<!-- <description>$(win.system.message)</description> -->
<description>SSH LOG DETACTED</description>
</rule>
</group>
Log_JSON:
{"win":{"system":{"providerName":"OpenSSH","providerGuid":"{C4B57D35-0636-4BC3-A262-370F249F9802}","eventID":"4","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x4000000000000000","systemTime":"2023-09-18T08:23:58.493470400Z","eventRecordID":"15","processID":"1620","threadID":"1892","channel":"OpenSSH/Operational","computer":"WIN-72J08VIAJ0E","severityValue":"INFORMATION","message":"\"sshd: Accepted password for Administrator from 192.168.0.122 port 52866 ssh2\""},"eventdata":{"process":"sshd","payload":"Accepted password for Administrator from 192.168.0.122 port 52866 ssh2"}}}
Kindly guide me how to solve it. Thanks!