Help for Decoders and Regex
201 views
Skip to first unread message
Daniel Lima
Apr 20, 2022, 5:26:13 PM4/20/22
to Wazuh mailing list
Hi Everybody,
Could someone help me to create a Decoder and a Regular Expression to get these fields and values:
Field: request=https://short.ink/TX5V8H9WQ
Value: https://short.ink/TX5V8H9WQ
Field: duser=TESTE\\angelica.pietro
Value: TESTE\\angelica.pietro
Sample:
2022 Apr 20 15:56:05 quality-wazuh->13.89.207.172 Apr 20 2022 15:56:05 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|WB:Web reputation|Web reputation|3|deviceExternalId=7237 devicePayloadId=09003A0DA492-A9DD11EC-C0DB-7CD8-5753 rt=Apr 20 2022 18:54:20 GMT+00:00 app=32 cnt=1 dpt=443 act=2 src=192.168.1.3 TMCMLogDetectedIP=192.168.1.3 cs1Label=SLF_PolicyName cs1=Internal User Policy deviceDirection=2 cat=Web reputation dvchost=CU-13809-2 request=https://short.ink/TX5V8H9WQ duser=TESTE\\angelica.pietro shost=DESKTOP-H4KKMFI TMCMLogDetectedHost=DESKTOP-H4KKMFI deviceProcessName=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe cn3Label=Web_Reputation_Rating cn3=49 deviceFacility=Apex One cn2Label=SLF_SeverityLevel cn2=100 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=TESTE\\
Christian Borla
Apr 20, 2022, 5:56:09 PM4/20/22
to Wazuh mailing list
Hi danfire
I hope you are doing fine!
I'm glad to help you, I created a parent decoder and 2 child decoders to match and capture the fields that you need, and also added an extra decoder to capture date time, application and version fields too, if that information isn't useful to you, just remove that decoder.
Decoders:
<decoder name="cef_trend_micro">
<prematch type="pcre2">CEF:0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">(\w{3})\s+\d{1,2}\s+(\d+)\s+(\d+:\d+:\d+)\s+.*?CEF:0\|Trend Micro\|([^\|]+)\|(\d+)\|</regex>
<order>time.month,time.day,time.hour,application,version</order>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">CEF:0\|Trend Micro\|.*?request=(\S+)</regex>
<order>request</order>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">CEF:0\|Trend Micro\|.*?duser=(\S+)</regex>
<order>user</order>
</decoder>
Also I created an example rule, to trigger an alert from trend micro events.
Rule:
<group name="trendmicro">
<rule id="100200" level="7">
<decoded_as>cef_trend_micro</decoded_as>
<description>cef_trend_micro: Event</description>
</rule>
</group>
I tested it, running wazuh-logtest rule, and it decode the log as expected.
/var/ossec/bin/wazuh-logtest
Type one log per line
2022 Apr 20 15:56:05 quality-wazuh->13.89.207.172 Apr 20 2022 15:56:05 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|WB:Web reputation|Web reputation|3|deviceExternalId=7237 devicePayloadId=09003A0DA492-A9DD11EC-C0DB-7CD8-5753 rt=Apr 20 2022 18:54:20 GMT+00:00 app=32 cnt=1 dpt=443 act=2 src=192.168.1.3 TMCMLogDetectedIP=192.168.1.3 cs1Label=SLF_PolicyName cs1=Internal User Policy deviceDirection=2 cat=Web reputation dvchost=CU-13809-2 request=https://short.ink/TX5V8H9WQ duser=TESTE\\angelica.pietro shost=DESKTOP-H4KKMFI TMCMLogDetectedHost=DESKTOP-H4KKMFI deviceProcessName=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe cn3Label=Web_Reputation_Rating cn3=49 deviceFacility=Apex One cn2Label=SLF_SeverityLevel cn2=100 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=TESTE\\
**Phase 2: Completed decoding.
name: 'cef_trend_micro'
application: 'Apex Central'
dstuser: 'TESTE\\angelica.pietro'
request: 'https://short.ink/TX5V8H9WQ'
time.day: '2022'
time.hour: '15:56:05'
time.month: 'Apr'
version: '2019'
**Phase 3: Completed filtering (rules).
id: '100200'
level: '7'
description: 'cef_trend_micro: Event'
groups: '['trendmicro']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Let me know if this information is useful to you!
Regards.
I hope you are doing fine!
I'm glad to help you, I created a parent decoder and 2 child decoders to match and capture the fields that you need, and also added an extra decoder to capture date time, application and version fields too, if that information isn't useful to you, just remove that decoder.
Decoders:
<decoder name="cef_trend_micro">
<prematch type="pcre2">CEF:0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">(\w{3})\s+\d{1,2}\s+(\d+)\s+(\d+:\d+:\d+)\s+.*?CEF:0\|Trend Micro\|([^\|]+)\|(\d+)\|</regex>
<order>time.month,time.day,time.hour,application,version</order>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">CEF:0\|Trend Micro\|.*?request=(\S+)</regex>
<order>request</order>
</decoder>
<decoder name="cef_trend_micro_child">
<parent>cef_trend_micro</parent>
<regex type="pcre2">CEF:0\|Trend Micro\|.*?duser=(\S+)</regex>
<order>user</order>
</decoder>
Also I created an example rule, to trigger an alert from trend micro events.
Rule:
<group name="trendmicro">
<rule id="100200" level="7">
<decoded_as>cef_trend_micro</decoded_as>
<description>cef_trend_micro: Event</description>
</rule>
</group>
I tested it, running wazuh-logtest rule, and it decode the log as expected.
/var/ossec/bin/wazuh-logtest
Type one log per line
2022 Apr 20 15:56:05 quality-wazuh->13.89.207.172 Apr 20 2022 15:56:05 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|WB:Web reputation|Web reputation|3|deviceExternalId=7237 devicePayloadId=09003A0DA492-A9DD11EC-C0DB-7CD8-5753 rt=Apr 20 2022 18:54:20 GMT+00:00 app=32 cnt=1 dpt=443 act=2 src=192.168.1.3 TMCMLogDetectedIP=192.168.1.3 cs1Label=SLF_PolicyName cs1=Internal User Policy deviceDirection=2 cat=Web reputation dvchost=CU-13809-2 request=https://short.ink/TX5V8H9WQ duser=TESTE\\angelica.pietro shost=DESKTOP-H4KKMFI TMCMLogDetectedHost=DESKTOP-H4KKMFI deviceProcessName=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe cn3Label=Web_Reputation_Rating cn3=49 deviceFacility=Apex One cn2Label=SLF_SeverityLevel cn2=100 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=TESTE\\
name: 'cef_trend_micro'
application: 'Apex Central'
dstuser: 'TESTE\\angelica.pietro'
request: 'https://short.ink/TX5V8H9WQ'
time.day: '2022'
time.hour: '15:56:05'
time.month: 'Apr'
version: '2019'
**Phase 3: Completed filtering (rules).
id: '100200'
level: '7'
description: 'cef_trend_micro: Event'
groups: '['trendmicro']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Let me know if this information is useful to you!
Regards.
Reply all
Reply to author
Forward
0 new messages