Decoder for FortiEDR
326 views
Skip to first unread message
Fidel
Aug 31, 2023, 4:18:15 AM8/31/23
to Wazuh | Mailing List
This is a example of log from FortiEDR, the idea is to extract date, time, devname, device name, process path, severity and rules list. Somebody can help me to make the decoder, I'm triying with https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ but I can't.
2023 Aug 23 00:00:11 WZHA094HP01->10.94.94.11 date=2023-08-22 time=23:00:06 timestamp=1692741606 devname="SYSLOG-FortiEDR" devid="SYSLOG-23F6C9DF" vd="root" itime=1692741606 devname="SYSLOG-FortiEDR" device_id="SYSLOG-23F6C9DF" type="generic" pri="notice" msg="1 2023-08-22T22:00:05.000Z organization.console.ensilo.com FortiEDR - - - Message Type: Security Event;Organization: OrganizationName;Organization ID: 1;Event ID: 4105996;Raw Data ID: 1723875024;Device Name: WEBA162HP09;Device State: Running;Operating System: Windows Server 2019 Standard;Process Name: powershell.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe;Process Type: 64bit;Severity: High;Classification: Inconclusive;Destination: Sensitive Information Access;First Seen: 22-Aug-2023, 20:02:06;Last Seen: 23-Aug-2023, 00:00:05;Action: Blocked (Simulation);Count: 128;Certificate: yes;Rules List: Suspicious Application - Connection Attempt from a Suspicious Application;Users: ;MAC Address: 00-15-5D-CA-29-4B;Script: powershellScript.ps1\';Script Path: {try {& \'C:\\Jenkins\\workspace\\WEBA162HP09 (Granja Web Nodo 1)\\ReinicioServicio.Task-WEBA162HP09@tmp\\durable-8bc7dc06\\powershellScript.ps1\';Autonomous System: N/A;Country: N/A;Process Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C;Source IP: 192.168.162.215;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: T1059 - Command and Scripting Interpreter, TA0005 - Defense Evasion, T1059.006 - Command and Scripting Interpreter: Python, T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm, T1047 - Windows Management Instrumentation, T1170 - Signed Binary Proxy Execution: Mshta, T1218.010 - Signed Binary Proxy Execution: Regsvr32, T1059.001 - Command and Scripting Interpreter: PowerShell, T1218.003 - Signed Binary Proxy Execution: CMSTP, T1218
Thanks.
Sandra Ocando
Aug 31, 2023, 6:19:53 AM8/31/23
to Fidel, Wazuh | Mailing List
Hello Fidel,Here are some decoders for your log. For this type of log that contains variables that can change in order or that may not always be present, it's a good idea to use sibling decoders. Note that each decoder searches for a field, for example, "Device name:", regardless of its order of appearance.
I've included the fields you mentioned in your message: date, time, devname, Device Name, Process Path, Severity and Rules List. You can easily add more fields by creating analogous decoders.You can add these decoders to
I've included the fields you mentioned in your message: date, time, devname, Device Name, Process Path, Severity and Rules List. You can easily add more fields by creating analogous decoders.You can add these decoders to
/var/ossec/etc/decoders/local_decoder.xml or create a separate decoder file for them.Note that to create and test your decoders, you should remove the following header: 2023 Aug 23 00:00:11 WZHA094HP01->10.94.94.11 as this is added by Wazuh but is not part of the original message.Once you edited your decoders, you can test them using
/var/ossec/bin/wazuh-logtest:After testing your rules and decoders with
Let us know if you have any questions.
wazuh-logtest, remember to restart your manager to apply these changes to future alerts.Let us know if you have any questions.
Best regards,
Sandra.
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/07eabcb7-5fb9-4b6a-bd10-e72006205c6fn%40googlegroups.com.
Fidel
Aug 31, 2023, 7:32:49 AM8/31/23
to Wazuh | Mailing List
Thank you. Just I need to make a rule which triggers an alert every time a FortiEDR log is received and in function of severity: Low, Medium or High define the level of the alert, as example: Low - 3, Medium - 6 and High - 9.
Sandra Ocando
Sep 1, 2023, 4:37:44 AM9/1/23
to Fidel, Wazuh | Mailing List
Hello,I've created some rules based on the level of severity. Note that there's a parent rule to group all events decoded as
FortiEDR and the corresponding child rules to differentiate according to the event's severity.The rule description includes the event severity followed by the rules list, for example, "'High severity FortiEDR event: Suspicious Application - Connection Attempt from a Suspicious Application". You can change the description and customize these rules according to your needs. You can add these rules in
/var/ossec/etc/rules/local_rules.xml or you can create a dedicated file if you prefer. Remember to restart your Wazuh manager to apply changes.Here's the result of using wazuh-logtest with the original log you shared:Let us know if you have any questions.
Best regards,
Sandra.
Best regards,
Sandra.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/031a4a9f-6b90-43fa-ab25-1d729b53a678n%40googlegroups.com.
Fidel
Sep 1, 2023, 4:52:50 AM9/1/23
to Wazuh | Mailing List
Thanks.
Fidel
Sep 1, 2023, 5:35:37 AM9/1/23
to Wazuh | Mailing List
I have a question related to another topic. How I can receive logs from two different ports? I want to add 10.94.94.21/24 port 515.
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>10.94.94.11/24</allowed-ips>
</remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>10.94.94.11/24</allowed-ips>
</remote>
Thanks.
Sandra Ocando
Sep 4, 2023, 3:35:22 AM9/4/23
to Fidel, Wazuh | Mailing List
Hello Fidel,
Yes, you can receive logs from two different ports. To set this up, simply add another remote stanza with the desired port, for example, 515:
After making this configuration change, don't forget to restart your Wazuh manager for the changes to take effect.
Feel free to reach out if you have any further questions.
Cheers,
Sandra.
Yes, you can receive logs from two different ports. To set this up, simply add another remote stanza with the desired port, for example, 515:
After making this configuration change, don't forget to restart your Wazuh manager for the changes to take effect.
Feel free to reach out if you have any further questions.
Cheers,
Sandra.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0bfcb973-f1b1-4c16-8944-607798c54482n%40googlegroups.com.
Message has been deleted
Fidel
Sep 5, 2023, 5:36:51 AM9/5/23
to Wazuh | Mailing List
I'm triying to decode a log from FortiClient but I don't know how to extract some fields. The fields are date, devname, source_type, msg. And the problem is on Computer field.
2023 Aug 29 00:00:03 WZHA094HP01->10.94.94.11 date=2023-08-28 time=20:39:46 timestamp=1693258786 devname="devicename" devid="deviceid" fctuid="26E602440F3C4E0D99A1661446BB8CE4" source="win" source_ver="10" source_type="Windows Events" msg="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='nhi'/><EventID Qualifiers='16388'>9007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2023-08-28T21:39:36.4682735Z'/><EventRecordID>496714</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15524'/><Channel>System</Channel><Computer>computername</Computer><Security/></System><EventData><Data></Data><Binary>0000000001000000000000002F230440000000000000000000000000000000000000000000000000</Binary></EventData></Event>" tz="-0100"
Thanks.
Sandra Ocando
Sep 5, 2023, 7:48:47 AM9/5/23
to Fidel, Wazuh | Mailing List
Hi Fidel,
Would you mind sharing your decoders so I can test them in my lab environment?
Looking forward to your answer.
Sandra.
Would you mind sharing your decoders so I can test them in my lab environment?
What kind of problems are you facing with the computer field? Would you like to extract some fields from the msg field?
Looking forward to your answer.
Sandra.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b3bd1825-4313-4ad4-9240-216b470aab83n%40googlegroups.com.
Fidel
Sep 5, 2023, 9:43:46 AM9/5/23
to Wazuh | Mailing List
Yes, I want to extract just
<Computer>computername</Computer> what in the computer field. I don't know how to extract this field.
<regex>date=(\.*)\s\w+=|date=(\.*)$</regex>
<order>date</order>
</decoder>
<regex>time=(\.*)\s\w+=|time=(\.*)$</regex>
<order>time</order>
</decoder>
<regex>devname=(\.*)\s\w+=|devname=(\.*)$</regex>
<order>devname</order>
</decoder>
<decoder name="FortiClient">
<prematch>devicename</prematch>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<prematch>devicename</prematch>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<regex>date=(\.*)\s\w+=|date=(\.*)$</regex>
<order>date</order>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<parent>FortiClient</parent>
<regex>time=(\.*)\s\w+=|time=(\.*)$</regex>
<order>time</order>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<parent>FortiClient</parent>
<regex>devname=(\.*)\s\w+=|devname=(\.*)$</regex>
<order>devname</order>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<regex>source_type=(\.*)\s\w+=|source_type=(\.*)$</regex>
<order>source_type</order>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<regex><Computer>(\.*)</Computer>$</regex>
<order>Computer</order>
</decoder>
<parent>FortiClient</parent>
<regex>source_type=(\.*)\s\w+=|source_type=(\.*)$</regex>
<order>source_type</order>
</decoder>
<decoder name="FortiClient">
<parent>FortiClient</parent>
<regex><Computer>(\.*)</Computer>$</regex>
<order>Computer</order>
</decoder>
Thanks.
Sandra Ocando
Sep 6, 2023, 4:42:45 AM9/6/23
to Fidel, Wazuh | Mailing List
Hello,
As the
A possible expression for extracting the computer name is:
As the
<computer> field contains special characters, you need to adapt your regex accordingly. You should escape the < character by adding a backslash \ in front of it. To match the > character, you can use the \p expression.A possible expression for extracting the computer name is:
To learn more, see the Regex (OS_Regex) syntax reference.
Here are your decoders with the modification for extracting the computer name:
Here are your decoders with the modification for extracting the computer name:
And here's the result of testing your log with the modified decoders:
Let us know if this solves your issue.
Cheers,
Sandra.
Cheers,
Sandra.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cb499502-3901-4fb4-b3e9-1999bf57dc06n%40googlegroups.com.
Fidel
Sep 6, 2023, 4:43:33 AM9/6/23
to Wazuh | Mailing List
I have another question. I created this decoder for Extrahop but didn't match in the decoder fase.
<decoder name="ExtraHop">
<prematch>ExtraHop</prematch>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>\d+(\d+-\d+-\d+\w+\d+:\d+:\d+.\d+\p\d+:\d+) </regex>
<order>log_timestamp</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>(\d+)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|</regex>
<order>CEFversion,Vendor,Product,ProductVersion,EventID,EventName,EventSeverity</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn1=(\.*)\s\w+=|cn1=(\.*)$</regex>
<order>cn1</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn1Label=(\.*)\s\w+=|cn1Label=(\.*)$</regex>
<order>cn1Label</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn2=(\.*)\s\w+=|cn2=(\.*)$</regex>
<order>cn2</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn2Label=(\.*)\s\w+=|cn2Label=(\.*)$</regex>
<order>cn2Label</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cs1=(\.*)\s\w+=|cs1=(\.*)$</regex>
<order>cs1</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cs1Label=(\.*)\s\w+=|cs1Label=(\.*)$</regex>
<order>cs1Label</order>
</decoder>
<prematch>ExtraHop</prematch>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>\d+(\d+-\d+-\d+\w+\d+:\d+:\d+.\d+\p\d+:\d+) </regex>
<order>log_timestamp</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>(\d+)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|(\.*)\|</regex>
<order>CEFversion,Vendor,Product,ProductVersion,EventID,EventName,EventSeverity</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn1=(\.*)\s\w+=|cn1=(\.*)$</regex>
<order>cn1</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn1Label=(\.*)\s\w+=|cn1Label=(\.*)$</regex>
<order>cn1Label</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn2=(\.*)\s\w+=|cn2=(\.*)$</regex>
<order>cn2</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cn2Label=(\.*)\s\w+=|cn2Label=(\.*)$</regex>
<order>cn2Label</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cs1=(\.*)\s\w+=|cs1=(\.*)$</regex>
<order>cs1</order>
</decoder>
<decoder name="ExtraHop">
<parent>ExtraHop</parent>
<regex>cs1Label=(\.*)\s\w+=|cs1Label=(\.*)$</regex>
<order>cs1Label</order>
</decoder>
2023-09-05T22:10:47.623Z 10.94.94.21 CEF:0|ExtraHop|Reveal(x)|8.6|1|SMBv1 Connection|3|cn2=30 cn2Label=riskScore cs1=https://10.94.94.21/extrahop/#/detections/detail/16943 cs1Label=detectionURL cs2=sec,sec.hardening cs2Label=category cs3=16943 cs3Label=detectionIDstring rt=2023-08-29T22:07:48.201Z end=2023-08-29T22:07:48.201Z start=2023-08-15T22:37:01.382Z src=00:15:5D:A0:19:5E msg=[alc0025vlp.company](#/metrics/devices/83101f5dacfb4183b23e1484fd0c494e.00155da0195e0000/overview?from\=1692139021&interval_type\=DT&until\=1693346868) established a Server Message Block (SMB) connection with the SMBv1 dialect. This deprecated dialect of the SMB/CIFS protocol is known to be vulnerable to attacks.
Thanks.
Fidel
Sep 6, 2023, 5:00:45 AM9/6/23
to Wazuh | Mailing List
It appears an error using the expression
Sandra Ocando
Sep 6, 2023, 5:19:02 AM9/6/23
to Fidel, Wazuh | Mailing List
I'm attaching the decoder file. If you continue to encounter the error,
please provide additional details so we can assist with troubleshooting.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/225d64e7-2f30-48e9-ba2e-ed29ad89e10en%40googlegroups.com.
Sandra Ocando
Sep 6, 2023, 6:36:42 AM9/6/23
to Fidel, Wazuh | Mailing List
This is a known limitation when working with the visual rule and decoder editor. Try adding the file directly to
/var/ossec/etc/decoders/ and let us know how it goes.Alternative, you may use the
\p expression instead of \< :Regarding the ExtraHop decoder, I'll work on it as soon as I can and get back to you.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e9049291-620e-4301-8021-9f5d29462270n%40googlegroups.com.
Fidel
Sep 6, 2023, 10:19:54 AM9/6/23
to Wazuh | Mailing List
Ok, it's all working, extrahop too.
Thanks.
Reply all
Reply to author
Forward
0 new messages