Wazuh Rules for SentinelOne. In archives but not in alerts
245 views
Skip to first unread message
Bastian
Apr 5, 2024, 6:53:46 AM4/5/24
to Wazuh | Mailing List
Hi together,
i hope you can support me here as i have been looking for a long time but cannot find the error.
I retrieve logs for SentinelOne via the Windwos Event Channel. This works so far, but I can only see the logs in the wazuh-archives-*.
## I have this in my agent.conf for the Windows Clients
<agent_config>
<localfile>
<location>SentinelOne/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
but when an event is received, it does not go into the wazuh-alerts **Messages: WARNING: (7003): '2bbd01f7' token expires INFO: (7202): Session initialized with token '4fd46047' **Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}' **Phase 2: Completed decoding. name: 'json' win.eventdata.detectionEngine: 'windows.preExecution' win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.trueContextID: '384C61FB93BC6164' win.system.channel: 'SentinelOne/Operational' win.system.computer: 'cliANT' win.system.eventID: '31' win.system.eventRecordID: '189' win.system.keywords: '0x8000000000000000' win.system.level: '3' win.system.message: '"Malware detected! True Context ID: 384C61FB93BC6164 Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Detection engine: windows.preExecution"' win.system.opcode: '0' win.system.processID: '12928' win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}' win.system.providerName: 'SentinelOne' win.system.severityValue: 'WARNING' win.system.systemTime: '2024-04-05T09:32:02.3118859Z' win.system.task: '1' win.system.threadID: '8680' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'SentinelOne: Malware detected on ' groups: '["sentinelone","windows"]' firedtimes: '1' mail: 'true' **Alert to be generated.
**Messages:
WARNING: (7003): '2bbd01f7' token expires
INFO: (7202): Session initialized with token '4fd46047'
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.detectionEngine: 'windows.preExecution'
win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.trueContextID: '384C61FB93BC6164'
win.system.channel: 'SentinelOne/Operational'
win.system.computer: 'cliANT'
win.system.eventID: '31'
win.system.eventRecordID: '189'
win.system.keywords: '0x8000000000000000'
win.system.level: '3'
win.system.message: '"Malware detected!
True Context ID: 384C61FB93BC6164
Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Detection engine: windows.preExecution"'
win.system.opcode: '0'
win.system.processID: '12928'
win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}'
win.system.providerName: 'SentinelOne'
win.system.severityValue: 'WARNING'
win.system.systemTime: '2024-04-05T09:32:02.3118859Z'
win.system.task: '1'
win.system.threadID: '8680'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100102'
level: '13'
description: 'SentinelOne: Malware detected on '
groups: '["sentinelone","windows"]'
firedtimes: '1'
mail: 'true'
**Alert to be generated.
**Messages: WARNING: (7003): '2bbd01f7' token expires INFO: (7202): Session initialized with token '4fd46047' **Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}' **Phase 2: Completed decoding. name: 'json' win.eventdata.detectionEngine: 'windows.preExecution' win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.trueContextID: '384C61FB93BC6164' win.system.channel: 'SentinelOne/Operational' win.system.computer: 'cliANT' win.system.eventID: '31' win.system.eventRecordID: '189' win.system.keywords: '0x8000000000000000' win.system.level: '3' win.system.message: '"Malware detected! True Context ID: 384C61FB93BC6164 Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Detection engine: windows.preExecution"' win.system.opcode: '0' win.system.processID: '12928' win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}' win.system.providerName: 'SentinelOne' win.system.severityValue: 'WARNING' win.system.systemTime: '2024-04-05T09:32:02.3118859Z' win.system.task: '1' win.system.threadID: '8680' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'SentinelOne: Malware detected on ' groups: '["sentinelone","windows"]' firedtimes: '1' mail: 'true' **Alert to be generated.
i hope you can support me here as i have been looking for a long time but cannot find the error.
I retrieve logs for SentinelOne via the Windwos Event Channel. This works so far, but I can only see the logs in the wazuh-archives-*.
## I have this in my agent.conf for the Windows Clients
<agent_config>
<localfile>
<location>SentinelOne/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
## Logs arrive in the archives
## Then I would like to customize the levels using the following rules
# custom_rules sentinelone.xml
<group name="sentinelone,windows,">
<rule id="100100" level="1">
<field name="win.system.providerName">SentinelOne</field>
<description>SentinelOne: Info</description>
</rule>
<rule id="100101" level="8">
<if_sid>100100</if_sid>
<field name="win.system.severityValue">WARNING</field>
<description>SentinelOne: Warning</description>
</rule>
<rule id="100102" level="13">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^31</field>
<description>SentinelOne: Malware detected on $(data.win.system.computer)</description>
</rule>
<rule id="100103" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.action">^Kill</field>
<field name="win.eventdata.result">^Success</field>
<description>SentinelOne: Malware has been killed successfully</description>
</rule>
<rule id="100104" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.action">^Kill</field>
<field name="win.eventdata.result">^Success</field>
<description>SentinelOne: Malware has been killed successfully</description>
</rule>
<rule id="100105" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.result" negate="yes">^Success</field>
<description>SentinelOne: failed to take action on Malware</description>
</rule>
<rule id="100106" level="15" frequency="5" timeframe="3600">
<if_matched_sid>100105</if_matched_sid>
<same_system_name />
<description>SentinelOne: unable to take action on Malware. Check host $(data.win.system.computer)</description>
<options>alert_by_email</options>
</rule>
</group>
##
## Ruletest looks fine
<group name="sentinelone,windows,">
<rule id="100100" level="1">
<field name="win.system.providerName">SentinelOne</field>
<description>SentinelOne: Info</description>
</rule>
<rule id="100101" level="8">
<if_sid>100100</if_sid>
<field name="win.system.severityValue">WARNING</field>
<description>SentinelOne: Warning</description>
</rule>
<rule id="100102" level="13">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^31</field>
<description>SentinelOne: Malware detected on $(data.win.system.computer)</description>
</rule>
<rule id="100103" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.action">^Kill</field>
<field name="win.eventdata.result">^Success</field>
<description>SentinelOne: Malware has been killed successfully</description>
</rule>
<rule id="100104" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.action">^Kill</field>
<field name="win.eventdata.result">^Success</field>
<description>SentinelOne: Malware has been killed successfully</description>
</rule>
<rule id="100105" level="8">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^32</field>
<field name="win.eventdata.result" negate="yes">^Success</field>
<description>SentinelOne: failed to take action on Malware</description>
</rule>
<rule id="100106" level="15" frequency="5" timeframe="3600">
<if_matched_sid>100105</if_matched_sid>
<same_system_name />
<description>SentinelOne: unable to take action on Malware. Check host $(data.win.system.computer)</description>
<options>alert_by_email</options>
</rule>
</group>
##
## Ruletest looks fine
Starting wazuh-logtest v4.7.3
Type one log per line
{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.detectionEngine: 'windows.preExecution'
win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.trueContextID: '384C61FB93BC6164'
win.system.channel: 'SentinelOne/Operational'
win.system.computer: 'cliANT'
win.system.eventID: '31'
win.system.eventRecordID: '189'
win.system.keywords: '0x8000000000000000'
win.system.level: '3'
win.system.message: '"Malware detected!
True Context ID: 384C61FB93BC6164
Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Detection engine: windows.preExecution"'
win.system.opcode: '0'
win.system.processID: '12928'
win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}'
win.system.providerName: 'SentinelOne'
win.system.severityValue: 'WARNING'
win.system.systemTime: '2024-04-05T09:32:02.3118859Z'
win.system.task: '1'
win.system.threadID: '8680'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100102'
level: '13'
description: 'SentinelOne: Malware detected on '
groups: '['sentinelone', 'windows']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
Type one log per line
{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.detectionEngine: 'windows.preExecution'
win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D'
win.eventdata.trueContextID: '384C61FB93BC6164'
win.system.channel: 'SentinelOne/Operational'
win.system.computer: 'cliANT'
win.system.eventID: '31'
win.system.eventRecordID: '189'
win.system.keywords: '0x8000000000000000'
win.system.level: '3'
win.system.message: '"Malware detected!
True Context ID: 384C61FB93BC6164
Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D
Detection engine: windows.preExecution"'
win.system.opcode: '0'
win.system.processID: '12928'
win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}'
win.system.providerName: 'SentinelOne'
win.system.severityValue: 'WARNING'
win.system.systemTime: '2024-04-05T09:32:02.3118859Z'
win.system.task: '1'
win.system.threadID: '8680'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100102'
level: '13'
description: 'SentinelOne: Malware detected on '
groups: '['sentinelone', 'windows']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
but when an event is received, it does not go into the wazuh-alerts **Messages: WARNING: (7003): '2bbd01f7' token expires INFO: (7202): Session initialized with token '4fd46047' **Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}' **Phase 2: Completed decoding. name: 'json' win.eventdata.detectionEngine: 'windows.preExecution' win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.trueContextID: '384C61FB93BC6164' win.system.channel: 'SentinelOne/Operational' win.system.computer: 'cliANT' win.system.eventID: '31' win.system.eventRecordID: '189' win.system.keywords: '0x8000000000000000' win.system.level: '3' win.system.message: '"Malware detected! True Context ID: 384C61FB93BC6164 Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Detection engine: windows.preExecution"' win.system.opcode: '0' win.system.processID: '12928' win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}' win.system.providerName: 'SentinelOne' win.system.severityValue: 'WARNING' win.system.systemTime: '2024-04-05T09:32:02.3118859Z' win.system.task: '1' win.system.threadID: '8680' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'SentinelOne: Malware detected on ' groups: '["sentinelone","windows"]' firedtimes: '1' mail: 'true' **Alert to be generated.
**Messages: WARNING: (7003): '2bbd01f7' token expires INFO: (7202): Session initialized with token '4fd46047' **Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"SentinelOne","providerGuid":"{7557185d-243a-489d-9dfb-191262f284d8}","eventID":"31","version":"0","level":"3","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-05T09:32:02.3118859Z","eventRecordID":"189","processID":"12928","threadID":"8680","channel":"SentinelOne/Operational","computer":"cliANT","severityValue":"WARNING","message":"\"Malware detected!\r\n\r\nTrue Context ID: 384C61FB93BC6164\r\nName: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nPath: C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D\r\nDetection engine: windows.preExecution\""},"eventdata":{"trueContextID":"384C61FB93BC6164","name":"99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","path":"C:\\\\Users\\\\Bastian\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\y1113b66.default-release\\\\cache2\\\\entries\\\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D","detectionEngine":"windows.preExecution"}}}' **Phase 2: Completed decoding. name: 'json' win.eventdata.detectionEngine: 'windows.preExecution' win.eventdata.name: '99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.path: 'C:\\Users\\Bastian\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\y1113b66.default-release\\cache2\\entries\\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D' win.eventdata.trueContextID: '384C61FB93BC6164' win.system.channel: 'SentinelOne/Operational' win.system.computer: 'cliANT' win.system.eventID: '31' win.system.eventRecordID: '189' win.system.keywords: '0x8000000000000000' win.system.level: '3' win.system.message: '"Malware detected! True Context ID: 384C61FB93BC6164 Name: 99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Path: C:\Users\Bastian\AppData\Local\Mozilla\Firefox\Profiles\y1113b66.default-release\cache2\entries\99A5AFC59CA2D59AB83B2E632DE96A8473DE113D Detection engine: windows.preExecution"' win.system.opcode: '0' win.system.processID: '12928' win.system.providerGuid: '{7557185d-243a-489d-9dfb-191262f284d8}' win.system.providerName: 'SentinelOne' win.system.severityValue: 'WARNING' win.system.systemTime: '2024-04-05T09:32:02.3118859Z' win.system.task: '1' win.system.threadID: '8680' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'SentinelOne: Malware detected on ' groups: '["sentinelone","windows"]' firedtimes: '1' mail: 'true' **Alert to be generated.
Stuti Gupta
Apr 10, 2024, 3:25:49 AM4/10/24
to Wazuh | Mailing List
Hi
Bastian
Hope you are doing well.
I tested this and it working fine as you can see in the image attached.
Make sure to restart wazuh-manager to apply the changes.
Hope this helps
Hope you are doing well.
I tested this and it working fine as you can see in the image attached.
Make sure to restart wazuh-manager to apply the changes.
Hope this helps
Reply all
Reply to author
Forward
0 new messages