Allow Company name which has URL using CBD list.
30 views
Skip to first unread message
DIWAHAR RAHAWID
4:45 AM (19 hours ago) 4:45 AM
to Wazuh | Mailing List
Hi Team,
<rule id="100500" level="16">
<if_sid>61603</if_sid>
<list field="win.eventdata.company" lookup="not_match_key">etc/lists/software-vendors</list>
<description>Sysmon - Event 1: Process $(win.eventdata.description) started but not allowed by the software policy</description>
<mitre>
<id>T1036</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,software_policy</group>
</rule>
I have followed the steps as per the Doc https://github.com/juaromu/wazuh-windows-software-policy which was working fine now I face a issue in allowing "data.win.eventdata.company: The Wireshark developer community, https://www.wireshark.org/ as this has the URL in it CBD list is not accepting it is there way to allow this applications,.
Rule I use: <group name="allowapplication, ">
<!-- Rules 100500 - 100999: Exceptions/Rule Level Mod --><rule id="100500" level="16">
<if_sid>61603</if_sid>
<list field="win.eventdata.company" lookup="not_match_key">etc/lists/software-vendors</list>
<description>Sysmon - Event 1: Process $(win.eventdata.description) started but not allowed by the software policy</description>
<mitre>
<id>T1036</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,software_policy</group>
</rule>
Regards
Diwahar
Jorge Fabiano Núñez García
12:06 PM (12 hours ago) 12:06 PM
to Wazuh | Mailing List
Hi DIWAHAR,
Thanks for the details. I am going to replicate this behavior and will share an update soon.
Best regards,
Jorge
Reply all
Reply to author
Forward
0 new messages