Decoder for a Sysmon Event
251 views
Skip to first unread message
Tom Powers
Aug 1, 2023, 10:08:22 AM8/1/23
to Wazuh mailing list
Hello..
How would one build a decoder for the SYsmon 22 event?
Example Event:
2023 Jul 31 01:03:22 (SDL23) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"22","version":"5","level":"4","task":"22","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-31T01:03:20.8337940Z","eventRecordID":"3965131","processID":"4436","threadID":"6364","channel":"Microsoft-Windows-Sysmon/Operational","computer":"SDL23.ssi.private","severityValue":"INFORMATION","message":"\"Dns query:\r\nRuleName: -\r\nUtcTime: 2023-07-31 01:03:35.106\r\nProcessGuid: {6b0aea5e-7e12-64af-e300-000000000d00}\r\nProcessId: 896\r\nQueryName: huntress.io\r\nQueryStatus: 0\r\nQueryResults: ::ffff:54.205.213.128;::ffff:54.144.158.23;::ffff:44.214.241.73;::ffff:35.172.187.164;::ffff:44.206.18.117;::ffff:3.86.123.150;\r\nImage: C:\\Program Files\\Huntress\\HuntressAgent.exe\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2023-07-31 01:03:35.106","processGuid":"{6b0aea5e-7e12-64af-e300-000000000d00}","processId":"896","queryName":"huntress.io","queryStatus":"0","queryResults":"::ffff:54.205.213.128;::ffff:54.144.158.23;::ffff:44.214.241.73;::ffff:35.172.187.164;::ffff:44.206.18.117;::ffff:3.86.123.150;","image":"C:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe","user":"NT AUTHORITY\\\\SYSTEM"}}}
How would one build a decoder for the SYsmon 22 event?
Example Event:
2023 Jul 31 01:03:22 (SDL23) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"22","version":"5","level":"4","task":"22","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-31T01:03:20.8337940Z","eventRecordID":"3965131","processID":"4436","threadID":"6364","channel":"Microsoft-Windows-Sysmon/Operational","computer":"SDL23.ssi.private","severityValue":"INFORMATION","message":"\"Dns query:\r\nRuleName: -\r\nUtcTime: 2023-07-31 01:03:35.106\r\nProcessGuid: {6b0aea5e-7e12-64af-e300-000000000d00}\r\nProcessId: 896\r\nQueryName: huntress.io\r\nQueryStatus: 0\r\nQueryResults: ::ffff:54.205.213.128;::ffff:54.144.158.23;::ffff:44.214.241.73;::ffff:35.172.187.164;::ffff:44.206.18.117;::ffff:3.86.123.150;\r\nImage: C:\\Program Files\\Huntress\\HuntressAgent.exe\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2023-07-31 01:03:35.106","processGuid":"{6b0aea5e-7e12-64af-e300-000000000d00}","processId":"896","queryName":"huntress.io","queryStatus":"0","queryResults":"::ffff:54.205.213.128;::ffff:54.144.158.23;::ffff:44.214.241.73;::ffff:35.172.187.164;::ffff:44.206.18.117;::ffff:3.86.123.150;","image":"C:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe","user":"NT AUTHORITY\\\\SYSTEM"}}}
Carlos Ezequiel Bordon
Aug 1, 2023, 11:49:16 AM8/1/23
to Tom Powers, Wazuh mailing list
Hello Tom Powers, I am sharing the documentation to create customs rules https://documentation.wazuh.com/current/user-manual/ruleset/custom.html, and here is a guide that we have on how to create rules to monitor Sysmon events in Windows https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0ab6a7e3-f21b-46ec-86c8-49ee4dd44701n%40googlegroups.com.
--
Reply all
Reply to author
Forward
0 new messages