Sysmon Rule not working
87 views
Skip to first unread message
M Jones
Feb 19, 2022, 7:26:17 AM2/19/22
to Wazuh mailing list
Hi Ive tried different rule to get the log below to trigger but everything im trying doesnt seem to work. I have attached the json log from archive and the rule im using. This will be more filtered when in production but its just trying to get it to work.
<rule id="255090" level="13">
<field name="win.system.eventID">^3$</field>
<description>Sysmon - Event 3: Network Connection</description>
<options>no_full_log</options>
<group>sysmon_event_3,</group>
</rule>
<field name="win.system.eventID">^3$</field>
<description>Sysmon - Event 3: Network Connection</description>
<options>no_full_log</options>
<group>sysmon_event_3,</group>
</rule>
{"timestamp":"2022-02-19T12:13:16.233+0000","agent":{"id":"019","name":"Surface","ip":"10.0.0.99"},"manager":{"name":"redacted"},"id":"1645272796.20257382","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"3\",\"version\":\"5\",\"level\":\"4\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-02-19T12:13:15.7801824Z\",\"eventRecordID\":\"236151\",\"processID\":\"6380\",\"threadID\":\"8028\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"Surface.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network connection detected:\\r\\nRuleName: -\\r\\nUtcTime: 2022-02-19 12:13:15.140\\r\\nProcessGuid: {00000000-0000-0000-0000-000000000000}\\r\\nProcessId: 7596\\r\\nImage: C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\Office16\\\\WINWORD.EXE\\r\\nUser: Redacted\\\\user\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 10.0.0.99\\r\\nSourceHostname: Surface.local\\r\\nSourcePort: 62225\\r\\nSourcePortName: -\\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 52.109.88.174\\r\\nDestinationHostname: -\\r\\nDestinationPort: 443\\r\\nDestinationPortName: https\\\"\"},\"eventdata\":{\"utcTime\":\"2022-02-19 12:13:15.140\",\"processGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"processId\":\"7596\",\"image\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\Root\\\\\\\\Office16\\\\\\\\WINWORD.EXE\",\"user\":\"redacted\\\\\\\\matt\",\"protocol\":\"tcp\",\"initiated\":\"true\",\"sourceIsIpv6\":\"false\",\"sourceIp\":\"10.15.0.99\",\"sourceHostname\":\"Surface.redacted.local\",\"sourcePort\":\"62225\",\"destinationIsIpv6\":\"false\",\"destinationIp\":\"52.109.88.174\",\"destinationPort\":\"443\",\"destinationPortName\":\"https\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-02-19T12:13:15.7801824Z","eventRecordID":"236151","processID":"6380","threadID":"8028","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Surface.redacted.local","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: -\r\nUtcTime: 2022-02-19 12:13:15.140\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 7596\r\nImage: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\r\nUser: redacted\\user\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 10.0.0.99\r\nSourceHostname: Surface.local\r\nSourcePort: 62225\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 52.109.88.174\r\nDestinationHostname: -\r\nDestinationPort: 443\r\nDestinationPortName: https\""},"eventdata":{"utcTime":"2022-02-19 12:13:15.140","processGuid":"{00000000-0000-0000-0000-000000000000}","processId":"7596","image":"C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\Office16\\\\WINWORD.EXE","user":"WOLFBERRY\\\\matt","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"10.15.0.99","sourceHostname":"Surface.local","sourcePort":"62225","destinationIsIpv6":"false","destinationIp":"52.109.88.174","destinationPort":"443","destinationPortName":"https"}}},"location":"EventChannel"}
Thanks
Mariano Koremblum
Feb 21, 2022, 7:47:29 AM2/21/22
to Wazuh mailing list
Hi!
Please, could you tell us how are you testing the log? Because I did try your rule and, in my case, it is working correctly.
I will be waiting for your answer!
Best regards,
Mariano Koremblum
Best regards,
Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages