Custom rule: Not appearing in alerts.json

[Rhys Evans]

Hi

I am trying to create a custom rule, with the view to take action based off it. I cannot seem to get it working  - Wazuh 3.12.2

this is what I have

In manager ossec.conf   (list etc/lists/blacklist)

  <ruleset>

    <!-- Default ruleset -->

    <decoder_dir>ruleset/decoders</decoder_dir>

    <rule_dir>ruleset/rules</rule_dir>

    <rule_exclude>0215-policy_rules.xml</rule_exclude>

    <list>etc/lists/audit-keys</list>

    <list>etc/lists/amazon/aws-sources</list>

    <list>etc/lists/amazon/aws-eventnames</list>

    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->

    <decoder_dir>etc/decoders</decoder_dir>

    <rule_dir>etc/rules</rule_dir>

    <list>etc/lists/blacklist</list>

  </ruleset>

list  (cdb file is created)

root@wazuh:/var/ossec/bin# cat /var/ossec/etc/lists/blacklist

1.1.1.2:

Local rules

root@wazuh:/var/ossec/bin# cat /var/ossec/etc/rules/local_rules.xml

<!-- Local rules -->

<!-- Modify it at your will. -->

<!-- Copyright (C) 2015-2019, Wazuh Inc. -->

<group name="sysmon,">

  <rule id="199990" level="1">

    <match>Microsoft-Windows-Sysmon/Operational</match>

    <description>Sysmon - Event</description>

    <group>sysmon_event,</group>

  </rule>

  <rule id="199991" level="1">

    <if_group>sysmon_event</if_group>

    <field name="data.win.system.eventID">3</field>

    <description>Sysmon - Network Event</description>

    <group>sysmon_event_3,</group>

  </rule>

  <rule id="199992" level="12">

    <if_group>sysmon_event_3</if_group>

    <list field="data.win.eventdata.destinationIp" lookup="address_match_key">etc/lists/blacklist</list>

    <description>Bad Outbound Traffic Detected</description>

    <group>blacklist,</group>

  </rule>

  <rule id="199993" level="12">

    <if_group>sysmon_event_3</if_group>

    <list field="data.win.eventdata.sourceIp" lookup="address_match_key">etc/lists/blacklist</list>

    <description>Bad Inbound Traffic Detected</description>

    <group>blacklist,</group>

  </rule>

</group>

ossec-logtest

root@wazuh:/var/ossec/bin# ./ossec-logtest

2020/04/20 21:07:34 ossec-testrule: INFO: Started (pid: 15409).

ossec-testrule: Type one log per line.

{"timestamp":"2020-04-19T20:55:04.158+0000","agent":{"id":"045","name":"UN02","ip":"192.168.55.78"},"manager":{"name":"wazuh"},"id":"1587329704.232746055","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"3\",\"version\":\"5\",\"level\":\"4\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2020-04-19T20:55:03.665212900Z\",\"eventRecordID\":\"339476\",\"processID\":\"4616\",\"threadID\":\"2624\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"UN02\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2020-04-19 20:54:56.710\\r\\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\\r\\nProcessId: 14224\\r\\nImage: C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe\\r\\nUser: UN02\\\\rhyse\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 192.168.55.78\\r\\nSourceHostname: UN02.unwanted.local\\r\\nSourcePort: 50083\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.2\\r\\nDestinationHostname: \\r\\nDestinationPort: 80\\r\\nDestinationPortName: http\\\"\"},\"eventdata\":{\"utcTime\":\"2020-04-19 20:54:56.710\",\"processGuid\":\"{7d5baa64-8e8a-5e97-0000-00102eb02900}\",\"processId\":\"14224\",\"image\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\",\"user\":\"UN02\\\\\\\\rhyse\",\"protocol\":\"tcp\",\"initiated\":\"true\",\"sourceIsIpv6\":\"false\",\"sourceIp\":\"192.168.55.78\",\"sourceHostname\":\"UN02.unwanted.local\",\"sourcePort\":\"50083\",\"destinationIsIpv6\":\"false\",\"destinationIp\":\"1.1.1.2\",\"destinationPort\":\"80\",\"destinationPortName\":\"http\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}},"location":"EventChannel"}

**Phase 1: Completed pre-decoding.

       full event: '{"timestamp":"2020-04-19T20:55:04.158+0000","agent":{"id":"045","name":"UN02","ip":"192.168.55.78"},"manager":{"name":"wazuh"},"id":"1587329704.232746055","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"3\",\"version\":\"5\",\"level\":\"4\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2020-04-19T20:55:03.665212900Z\",\"eventRecordID\":\"339476\",\"processID\":\"4616\",\"threadID\":\"2624\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"UN02\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2020-04-19 20:54:56.710\\r\\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\\r\\nProcessId: 14224\\r\\nImage: C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe\\r\\nUser: UN02\\\\rhyse\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 192.168.55.78\\r\\nSourceHostname: UN02.unwanted.local\\r\\nSourcePort: 50083\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.2\\r\\nDestinationHostname: \\r\\nDestinationPort: 80\\r\\nDestinationPortName: http\\\"\"},\"eventdata\":{\"utcTime\":\"2020-04-19 20:54:56.710\",\"processGuid\":\"{7d5baa64-8e8a-5e97-0000-00102eb02900}\",\"processId\":\"14224\",\"image\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\",\"user\":\"UN02\\\\\\\\rhyse\",\"protocol\":\"tcp\",\"initiated\":\"true\",\"sourceIsIpv6\":\"false\",\"sourceIp\":\"192.168.55.78\",\"sourceHostname\":\"UN02.unwanted.local\",\"sourcePort\":\"50083\",\"destinationIsIpv6\":\"false\",\"destinationIp\":\"1.1.1.2\",\"destinationPort\":\"80\",\"destinationPortName\":\"http\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}},"location":"EventChannel"}'

       timestamp: '(null)'

       hostname: 'wazuh'

       program_name: '(null)'

       log: '{"timestamp":"2020-04-19T20:55:04.158+0000","agent":{"id":"045","name":"UN02","ip":"192.168.55.78"},"manager":{"name":"wazuh"},"id":"1587329704.232746055","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"3\",\"version\":\"5\",\"level\":\"4\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2020-04-19T20:55:03.665212900Z\",\"eventRecordID\":\"339476\",\"processID\":\"4616\",\"threadID\":\"2624\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"UN02\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2020-04-19 20:54:56.710\\r\\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\\r\\nProcessId: 14224\\r\\nImage: C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe\\r\\nUser: UN02\\\\rhyse\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 192.168.55.78\\r\\nSourceHostname: UN02.unwanted.local\\r\\nSourcePort: 50083\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.2\\r\\nDestinationHostname: \\r\\nDestinationPort: 80\\r\\nDestinationPortName: http\\\"\"},\"eventdata\":{\"utcTime\":\"2020-04-19 20:54:56.710\",\"processGuid\":\"{7d5baa64-8e8a-5e97-0000-00102eb02900}\",\"processId\":\"14224\",\"image\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\",\"user\":\"UN02\\\\\\\\rhyse\",\"protocol\":\"tcp\",\"initiated\":\"true\",\"sourceIsIpv6\":\"false\",\"sourceIp\":\"192.168.55.78\",\"sourceHostname\":\"UN02.unwanted.local\",\"sourcePort\":\"50083\",\"destinationIsIpv6\":\"false\",\"destinationIp\":\"1.1.1.2\",\"destinationPort\":\"80\",\"destinationPortName\":\"http\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}},"location":"EventChannel"}'

**Phase 2: Completed decoding.

       decoder: 'json'

       timestamp: '2020-04-19T20:55:04.158+0000'

       agent.id: '045'

       agent.name: 'UN02'

       agent.ip: '192.168.55.78'

       manager.name: 'wazuh'

       id: '1587329704.232746055'

       full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}}'

       decoder.name: 'windows_eventchannel'

       data.win.system.providerName: 'Microsoft-Windows-Sysmon'

       data.win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'

       data.win.system.eventID: '3'

       data.win.system.version: '5'

       data.win.system.level: '4'

       data.win.system.task: '3'

       data.win.system.opcode: '0'

       data.win.system.keywords: '0x8000000000000000'

       data.win.system.systemTime: '2020-04-19T20:55:03.665212900Z'

       data.win.system.eventRecordID: '339476'

       data.win.system.processID: '4616'

       data.win.system.threadID: '2624'

       data.win.system.channel: 'Microsoft-Windows-Sysmon/Operational'

       data.win.system.computer: 'UN02'

       data.win.system.severityValue: 'INFORMATION'

       data.win.system.message: '"Network connection detected:

RuleName:

UtcTime: 2020-04-19 20:54:56.710

ProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}

ProcessId: 14224

Image: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

User: UN02\rhyse

Protocol: tcp

Initiated: true

SourceIsIpv6: false

SourceIp: 192.168.55.78

SourceHostname: UN02.unwanted.local

SourcePort: 50083

SourcePortName:

DestinationIsIpv6: false

DestinationIp: 1.1.1.2

DestinationHostname:

DestinationPort: 80

DestinationPortName: http"'

       data.win.eventdata.utcTime: '2020-04-19 20:54:56.710'

       data.win.eventdata.processGuid: '{7d5baa64-8e8a-5e97-0000-00102eb02900}'

       data.win.eventdata.processId: '14224'

       data.win.eventdata.image: 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'

       data.win.eventdata.user: 'UN02\\rhyse'

       data.win.eventdata.protocol: 'tcp'

       data.win.eventdata.initiated: 'true'

       data.win.eventdata.sourceIsIpv6: 'false'

       data.win.eventdata.sourceIp: '192.168.55.78'

       data.win.eventdata.sourceHostname: 'UN02.unwanted.local'

       data.win.eventdata.sourcePort: '50083'

       data.win.eventdata.destinationIsIpv6: 'false'

       data.win.eventdata.destinationIp: '1.1.1.2'

       data.win.eventdata.destinationPort: '80'

       data.win.eventdata.destinationPortName: 'http'

       location: 'EventChannel'

**Phase 3: Completed filtering (rules).

       Rule id: '199992'

       Level: '12'

       Description: 'Bad Outbound Traffic Detected'

**Alert to be generated.

However the event never makes it into the alerts.json file (its in the archives,json, without the rule details)

Any ideas ?

There are subsequent questions

1) Why are the provided sysmon rules not hitting ? They exist and are from around April 9th

2) How can I use  "data.win.eventdata.destinationIp" or "data.win.eventdata.sourceIp" for active responses, documentation seems to elude to only srcip been able to be used

Any help is appreciated

Thanks

[Eva Lopez]

Hello Rhys,

First of all, the Logtest tool can’t test the Eventchannel events. To do it, you have to modify rule number 60000, as shown below:

<rule id="60000" level="0">
  <decoded_as>json</decoded_as>
  <field name="win.system.providerName">\.+</field>
  <options>no_full_log</options>
  <description>Group of windows rules</description>
</rule>

You will find it in ruleset/rules/0575-win.base_rules.xml.

Please, note, after the tests are over, the rule must return to its original state.

Apart from that, the log input in Logtest must be the following:

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}}

This log has been obtained from the JSON you sent.
When I input the log in Logtest the output is:

# bin/ossec-logtest 
2020/04/21 09:06:17 ossec-testrule: INFO: Started (pid: 7119).
ossec-testrule: Type one log per line.

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}}

**Phase 1: Completed pre-decoding.
       full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}}'
       timestamp: '(null)'
       hostname: 'lopezziur'
       program_name: '(null)'
       log: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2020-04-19T20:55:03.665212900Z","eventRecordID":"339476","processID":"4616","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"UN02","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-04-19 20:54:56.710\r\nProcessGuid: {7d5baa64-8e8a-5e97-0000-00102eb02900}\r\nProcessId: 14224\r\nImage: C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\r\nUser: UN02\\rhyse\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.55.78\r\nSourceHostname: UN02.unwanted.local\r\nSourcePort: 50083\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.2\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""},"eventdata":{"utcTime":"2020-04-19 20:54:56.710","processGuid":"{7d5baa64-8e8a-5e97-0000-00102eb02900}","processId":"14224","image":"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe","user":"UN02\\\\rhyse","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"192.168.55.78","sourceHostname":"UN02.unwanted.local","sourcePort":"50083","destinationIsIpv6":"false","destinationIp":"1.1.1.2","destinationPort":"80","destinationPortName":"http"}}}'

**Phase 2: Completed decoding.
       decoder: 'json'

             ....

**Phase 3: Completed filtering (rules).
       Rule id: '61605'
       Level: '0'
       Description: 'Sysmon - Event 3: Network connection by '

The custom rules which use the CDB list must be fired if rule 61605 does. The rules could be as follow:

  <rule id="199992" level="12">

    <if_sid>61605</if_sid>
    <list field="win.eventdata.destinationIp" lookup="address_match_key">etc/lists/blacklist</list>

    <description>Bad Outbound Traffic Detected</description>
    <group>blacklist,</group>
  </rule>
  <rule id="199993" level="12">

    <if_sid>61605</if_sid>
    <list field="win.eventdata.sourceIp" lookup="address_match_key">etc/lists/blacklist</list>

    <description>Bad Inbound Traffic Detected</description>
    <group>blacklist,</group>

Regarding active response, you can configure it to perform when rule 199993 or 199992 fired. You can read more about it in our documentation.

I hope it helps you. If you have further questions, lets us know.

Best regards,
Eva

​

[Rhys Evans]

Hi, 

Thanks for the response, that helped a lot. Will now work on active response

Thanks 

[Eva Lopez]

You are welcome!
I am glad I am useful.

Regards,
Eva