Problems to write a decoder for S1 and CEF2 format
446 views
Skip to first unread message
Carlos Lopez
Oct 6, 2022, 11:54:37 AM10/6/22
to wa...@googlegroups.com
Hi all,
I am trying to deploy a new decoder for our S1 logs but I am stopped due to some problem that I don’t understand. First a sample log:
Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003
In theory, the following entries in local_decoders.xml should work (almost they work for other CEF logs format):
<decoder name="sentinelone">
<prematch>CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
But they don’t work … I have tried other combinations using pcre2 and others but nothing …
What am I doing wrong?
Best regards,
C. L. Martinez
I am trying to deploy a new decoder for our S1 logs but I am stopped due to some problem that I don’t understand. First a sample log:
Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003
In theory, the following entries in local_decoders.xml should work (almost they work for other CEF logs format):
<decoder name="sentinelone">
<prematch>CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
But they don’t work … I have tried other combinations using pcre2 and others but nothing …
What am I doing wrong?
Best regards,
C. L. Martinez
Jose Camargo
Oct 6, 2022, 5:04:05 PM10/6/22
to Wazuh mailing list
Hi Carlos, thank you for using Wazuh
You can set up this decoder to get the data:
<decoder name="sentinelone-custom">
<prematch>\.*CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*filePath=(\.*)\|.*</regex>
<order>filepath</order>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*fileHash=(\S+)\|</regex>
<order>filehash</order>
</decoder>
<prematch>\.*CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*filePath=(\.*)\|.*</regex>
<order>filepath</order>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*fileHash=(\S+)\|</regex>
<order>filehash</order>
</decoder>
This is the result of the test:
**Phase 1: Completed pre-decoding.
full event: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
timestamp: '(null)'
hostname: 'wazuhaoi-srv'
program_name: '(null)'
log: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
**Phase 2: Completed decoding.
decoder: 'sentinelone-custom'
filehash: '01412235baf64c5b928252639369eea4e2ba5192'
full event: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
timestamp: '(null)'
hostname: 'wazuhaoi-srv'
program_name: '(null)'
log: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
**Phase 2: Completed decoding.
decoder: 'sentinelone-custom'
filehash: '01412235baf64c5b928252639369eea4e2ba5192'
I don't get a Phase 3 because I haven't created any rules based on these decoders, but you can easily create one as explained here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules
You can add as many decoders as you want to get the different field that you might need.
Please let me know if you need anything else, always glad to help.
Regards,
Jose Camargo
Jose Camargo
Oct 6, 2022, 6:59:49 PM10/6/22
to Wazuh mailing list
Hi Carlos,
<order>filepath</order>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*fileHash=(\S+)\|</regex>
<order>filehash</order>
</decoder>
One of the decoders had to be corrected, please use these ones:
<decoder name="sentinelone-custom">
<prematch>\.*CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<prematch>\.*CEF:2\|SentinelOne\|Mgmt</prematch>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*filePath=(\.*)\|</regex>
<order>filepath</order>
</decoder>
<decoder name="sentinelone-custom-fields">
<parent>sentinelone-custom</parent>
<regex offset="after_parent">\.*fileHash=(\S+)\|</regex>
<order>filehash</order>
</decoder>
And I added some example rules:
<group name="sentinelone">
<rule id="100024" level="1">
<decoded_as>sentinelone-custom</decoded_as>
<description>SentinelOne default rule</description>
</rule>
<rule id="100025" level="5">
<if_sid>100024</if_sid>
<field name="filepath">\.+</field> <!-- This will trigger if filepath field has any value -->
<description>SentinelOne triggered an alert related to file $(filepath)</description>
</rule>
</group>
<rule id="100024" level="1">
<decoded_as>sentinelone-custom</decoded_as>
<description>SentinelOne default rule</description>
</rule>
<rule id="100025" level="5">
<if_sid>100024</if_sid>
<field name="filepath">\.+</field> <!-- This will trigger if filepath field has any value -->
<description>SentinelOne triggered an alert related to file $(filepath)</description>
</rule>
</group>
You'll get this output:
**Phase 1: Completed pre-decoding.
full event: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
timestamp: '(null)'
hostname: 'wazuhaoi-srv'
program_name: '(null)'
log: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
**Phase 2: Completed decoding.
decoder: 'sentinelone-custom'
full event: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
timestamp: '(null)'
hostname: 'wazuhaoi-srv'
program_name: '(null)'
log: 'Oct 6 10:36:04 2022-10-06 10: 36:04,350 sentinel - CEF:2|SentinelOne|Mgmt|Windows 10 Pro|rt=2022-10-06 10:35:55.658115|fileHash=01412235baf64c5b928252639369eea4e2ba5192|filePath=\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe|fileName=Alerta.exe|deviceAddress=18.198.190.203|deviceHostFqdn=euce1-exclusive.sentinelone.net|deviceHostName=euce1-exclusive.sentinelone.net|notificationScope=SITE|siteId=1358622531178348588|siteName=Group|accountId=1358622531169959977|accountName=ES \|\|ES-76\|\Security Services S.L.|vendor=SentinelOne|eventID=4003|eventDesc=New Suspicious threat detected - machine WRKO119|eventSeverity=1|originatorName=WRKO119|originatorVersion=21.7.5.1080|sourceAgentLastActivityTimestamp=2022-10-06 10:35:55.638991|sourceAgentRegisterTimestamp=2022-05-07 14:30:33.134606|sourceNetworkState=connected|sourceOsRevision=19044|sourceOsType=windows|sourceAgentUuid=6ed9d5783d56413f800a0138f34feb75|sourceFqdn=WRKO119.WORKGROUP|sourceThreatCount=2|sourceMgmtPrecievedAddress=92.184.80.14|sourceDnsDomain=WORKGROUP|sourceHostName=WRKO119|sourceUserName=|sourceUserId=|sourceAgentId=1415200390635609493|sourceGroupId=1372370298216691873|sourceGroupName=Security|sourceIpAddresses=['192.168.59.1', 'fe80::15c8:d6d:a7f:976b', '192.168.56.1', 'fe80::64a8:6a29:bcca:aacc', '192.168.63.1', 'fe80::dd9a:a2a:ae92:beb9', '172.28.176.1', 'fe80::44db:a5f5:ded8:d2c5', '192.168.1.102', 'fe80::2d84:6e27:fcad:f24c', '172.18.32.1', 'fe80::3529:ad88:f9ae:4a9f']|sourceMacAddresses=['0a:00:27:00:00:11', '0a:00:27:00:00:19', '0a:00:27:00:00:06', '00:15:5d:8a:79:3c', 'c2:21:b9:a2:1f:40', '00:15:5d:98:ab:8a']|threatClassification=None|threatClassificationSource=None|threatDetectingEngine=windows.preExecutionSuspicious|threatClassifier=STATIC|threatMitigationStatus=not_mitigated|threatConfidenceLevel=suspicious|threatMitigatedPreemptively=False|threatMitigationStatusLabel=suspicious|threatMitigationStatusID=3|threatCommandLineArguments=None|threatID=1525248211309748254|threatStoryline=E32635ECDC1E8118|threatDetectionTime=2022-10-06 10:35:55.658115|threatIndicatorsList=[29, 12]|threatProcessUser=GROUP\my.user|fileHashSha256=None|fileHashMd5=None|cat=MALWARE|activityID=1525248211443965987|activityType=4003'
**Phase 2: Completed decoding.
decoder: 'sentinelone-custom'
filepath: '\Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe'
filehash: '01412235baf64c5b928252639369eea4e2ba5192'
**Phase 3: Completed filtering (rules).
Rule id: '100025'
Level: '5'
Description: 'SentinelOne triggered an alert related to file \Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe'
**Alert to be generated.
filehash: '01412235baf64c5b928252639369eea4e2ba5192'
**Phase 3: Completed filtering (rules).
Rule id: '100025'
Level: '5'
Description: 'SentinelOne triggered an alert related to file \Device\HarddiskVolume3\Users\my.user\Downloads\Alerta.exe'
**Alert to be generated.
Regards,
Jose Camargo
Carlos Lopez
Oct 7, 2022, 2:23:55 AM10/7/22
to wa...@googlegroups.com
Good morning Jose,
I have tested your decider and rules but unfortunately same result: no decoders detected ….
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/749040f4-6127-49e3-bdce-e07380fb6eb0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages