syscheck_new_entry decoder
Manuel Sánchez
Ariel Ojeda
Hi!
I hope this message finds you well!
There is no need for you to write a custom child decoder for this use case.
The Syscheck module generates events for FIM that are matched to some decoders which will extract different fields from the events, such as the file/path. You can use that field as a criteria for a rule to generate alerts based on the information in that field. To ensure your rule will be matched to those events you can make it a child to the default ones (using if_sid or if_group depending on the use case). Here, since you want to trigger this when the file has been added, the stock rule that generates the alert is 554.
You can make your rule child to that one to make sure your criteria is evaluated when rule 554 is matched. You can then use the field option to check the contents of the “file” field extracted by the Syscheck decoder and using a regex check for .zip files and trigger your alert if a zip file is added to any folder being monitored by Syscheck with the configuration you added to the agent.
<rule id=100120 level=3> <if_sid>554</if_sid> <field name="file">.zip$</field> <description>Zip file added to folder</description> </rule>There is a correspondence between how the fields are called by the decoder and how they appear in the alert for this type of event, I am leaving below some reference documentation:
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html#mapping-fim-fields-to-wazuh-alerts
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-field
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
I hope this helps!