Issue with Sysmon Rules

60 views
Skip to first unread message

Joshua Strickland

unread,
Sep 2, 2024, 2:01:53 AM9/2/24
to Wazuh | Mailing List
Hello,

I'm pulling in Sysmon logs successfully - however in my sysmon.xml rule file on the server; I want to last 6 rules to show up under a different group for each rule. 

For Example, right now the alerts all show up under sysmon_process-anomalies as shown in this screenshot: 
sysmong-alert-group.PNG

However, I would like it to look like this for each Event ID:
sysmong-alert-group-desired.PNG

I will attach a raw text file of the sysmon.xml rules that I am using. The rules I want to be in a different group are the last 6 rules all with a level of 3. I realize they are all wrapped in the (sysmon, sysmon_process-anomalies) group but I'm not sure how to correct this to achieve what I'm trying to do. 

Any help is greatly appreciated!
sysmon_rules.txt

Juan Manuel Segura Duarte

unread,
Sep 2, 2024, 3:35:55 AM9/2/24
to Wazuh | Mailing List
Hello Joshua, 
Yes, you can achieve the desired functionality by using the `<group>` tag for every rule, adding additional groups to that rule without overwriting their current ones. Here you can find the reference of the group tag: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#group specifically the second part:
2024-09-02---09-25-00.png

So you could add the corresponding group to the 6 last rules, here is how it would look like:

```
<rule id="255084" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">1</field> <description>Windows Sysmon Event 1: Process creation</description> <options>no_full_log</options>
<group>sysmon_event_1</group> </rule> <rule id="255082" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">3</field> <description>Windows Sysmon Event 3: Network connection detected</description> <options>no_full_log</options>
<group>sysmon_event_3</group> </rule> <rule id="255085" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">6</field> <description>Windows Sysmon Event 6: Driver loaded</description> <options>no_full_log</options>
<group>sysmon_event_6</group> </rule> <rule id="255083" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">7</field> <description>Windows Sysmon Event 7: Image loaded</description> <options>no_full_log</options>
<group>sysmon_event_7</group> </rule> <rule id="255086" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">15</field> <description>Windows Sysmon Event 15: File CreateStreamHash</description> <options>no_full_log</options>
<group>sysmon_event_15</group> </rule> <rule id="255081" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">22</field> <description>Windows Sysmon Event 22: DNSServerInfo</description> <options>no_full_log</options>
<group>sysmon_event_22</group> </rule>
```

If you also want to remove the `sysmon_process-anomalies` group you can add them to a new group like this:
```
<!-- Rules from https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon @smtszk updated by @nissy34 --> <!-- Sysmon Wazuh Rules version 1.0--> <group name="sysmon,sysmon_process-anomalies,"> <rule id="255000" level="12"> <if_group>sysmon_event1</if_group> <field name="win.eventdata.image">\\powershell.exe||\\.ps1||\\.ps2</field> <description>Sysmon - Event 1: Powershell or Script Execution: $(win.eventdata.image)</description> </rule> </group>


<!-- 6 last rules only have the group sysmon and their own group (sysmon_event_ID) -->
<group name="sysmon,">
<rule id="255084" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">1</field> <description>Windows Sysmon Event 1: Process creation</description> <options>no_full_log</options>
<group>sysmon_event_1</group> </rule> <rule id="255082" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">3</field> <description>Windows Sysmon Event 3: Network connection detected</description> <options>no_full_log</options>
<group>sysmon_event_3</group> </rule> <rule id="255085" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">6</field> <description>Windows Sysmon Event 6: Driver loaded</description> <options>no_full_log</options>
<group>sysmon_event_6</group> </rule> <rule id="255083" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">7</field> <description>Windows Sysmon Event 7: Image loaded</description> <options>no_full_log</options>
<group>sysmon_event_7</group> </rule> <rule id="255086" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">15</field> <description>Windows Sysmon Event 15: File CreateStreamHash</description> <options>no_full_log</options>
<group>sysmon_event_15</group> </rule> <rule id="255081" level="3"> <if_group>sysmon</if_group> <field name="win.system.eventID">22</field> <description>Windows Sysmon Event 22: DNSServerInfo</description> <options>no_full_log</options>
<group>sysmon_event_22</group> </rule>
</group>
```

We hope you find this information useful.
Regards,
Juan Manuel
Reply all
Reply to author
Forward
0 new messages