Rules and Decoder for ESET Protect syslog
196 views
Skip to first unread message
A.C
May 14, 2024, 1:04:15 AM5/14/24
to Wazuh | Mailing List
Hello, I added syslog in wazuh to receive alerts from ESET but I can't see the Events in wazuh, I need to make a decoder and rules to display it.
{"timestamp":"2024-05-13T17:01:11.153+0000","agent":{"id":"000","name":"vm-wazuh-01"},"manager":{ "name":"vm-wazuh-01"},"id":"1715619671.1559345","full_log":"1 2024-05-13T17:01:11.154Z VM-ESET-01 ERAServer 5550 - - {\ "event_type \":\"FilteredWebsites_Event\",\"ipv4\":\"10.9.1.11\",\"hostname\":\"desktop-6cm69dh.sanholon.com\",\"os_name\":\ "Microsoft Windows 10 Pro\",\"group_name\":\"All/HILARION\",\"source_uuid\":\"08d4423b-4a4a-4d50-ada8-a387c3414088\",\"occurred\":\" 13 May 2024 17:09:42\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to the URL\",\"target_address\":\ " 22,107 .42.36\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP Filter\",\"action_taken\":\"Blocked\",\"handled\": true , \"object_uri\":\"config.edge.skype.com\",\"hash\":\"4940928253E0EA91417D930C6835BFFC120D67A4\",\"username\":\"SAHOLON\\\\cpedro\" ,\ " process name\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\" rule_id\ ":\ " Website certificate revoked\"}","decoder":{},"location":"192.168.20.120"}
I appreciate the help
{"timestamp":"2024-05-13T17:01:11.153+0000","agent":{"id":"000","name":"vm-wazuh-01"},"manager":{ "name":"vm-wazuh-01"},"id":"1715619671.1559345","full_log":"1 2024-05-13T17:01:11.154Z VM-ESET-01 ERAServer 5550 - - {\ "event_type \":\"FilteredWebsites_Event\",\"ipv4\":\"10.9.1.11\",\"hostname\":\"desktop-6cm69dh.sanholon.com\",\"os_name\":\ "Microsoft Windows 10 Pro\",\"group_name\":\"All/HILARION\",\"source_uuid\":\"08d4423b-4a4a-4d50-ada8-a387c3414088\",\"occurred\":\" 13 May 2024 17:09:42\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to the URL\",\"target_address\":\ " 22,107 .42.36\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP Filter\",\"action_taken\":\"Blocked\",\"handled\": true , \"object_uri\":\"config.edge.skype.com\",\"hash\":\"4940928253E0EA91417D930C6835BFFC120D67A4\",\"username\":\"SAHOLON\\\\cpedro\" ,\ " process name\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\" rule_id\ ":\ " Website certificate revoked\"}","decoder":{},"location":"192.168.20.120"}
I appreciate the help
Stuti Gupta
May 14, 2024, 1:48:26 AM5/14/24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
May 14, 2024, 4:30:04 AM5/14/24
to Wazuh | Mailing List
Wazuh has an integrated decoder feature, tailored for JSON logs, enabling the extraction of data from any source utilizing this format. The log you provided can be extracted using the built-in JSON decoder, as exemplified below:
<decoder name="ESET">
<prematch>VM-ESET-\d+</prematch>
</decoder>
<decoder name="VM-ESET">
<parent>ESET</parent>
<prematch> \.+ \d+ - - </prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
Given the common prematch pattern in the provided log, as a parent decoder, it will align with this decoder and subsequently be decoded by the JSON_Decoder,. Then create the rule like:
<group name="ESET">
<rule id="100216" level="3" >
<decoded_as>ESET</decoded_as>
<description>ESET:Website certificate revoked</description>
</rule>
</group>
Then to apply the changes restart wazuh-manager using the command: systemctl restart wazuh-manager
For further insights, please refer to the Wazuh documentation on JSON decoder. and https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
<decoder name="ESET">
<prematch>VM-ESET-\d+</prematch>
</decoder>
<decoder name="VM-ESET">
<parent>ESET</parent>
<prematch> \.+ \d+ - - </prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
Given the common prematch pattern in the provided log, as a parent decoder, it will align with this decoder and subsequently be decoded by the JSON_Decoder,. Then create the rule like:
<group name="ESET">
<rule id="100216" level="3" >
<decoded_as>ESET</decoded_as>
<description>ESET:Website certificate revoked</description>
</rule>
</group>
Then to apply the changes restart wazuh-manager using the command: systemctl restart wazuh-manager
For further insights, please refer to the Wazuh documentation on JSON decoder. and https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
Stuti Gupta
May 15, 2024, 12:57:44 AM5/15/24
to Wazuh | Mailing List
Hi
Please let me know if this helps
Please let me know if this helps
Reply all
Reply to author
Forward
0 new messages