[ossec-list] Re: Windows Defender Decoder ?

2016-05-16 Thread Brent Morris
Rob - can you post your OSSEC version of the log? I can check my rules. These are a culmination of gleaned rules that I updated some time back with new event IDs. Yours is covered in there but I would like to test it against a valid OSSEC log. So if you can post it from the OSSEC logs,

[ossec-list] Re: Windows Defender Decoder ?

2016-05-17 Thread Rob B
Thanks Brent.! Funny enough, that day I figured it out and built a whole bunch very similar to your list. Seems to be working very nicely, as now I find myself leaning to creating some down right creative composites (finally) I've been looking for some reference material on the tag?

[ossec-list] Re: Windows Defender Decoder ?

2016-05-18 Thread Pedro S
Hi Rob, *extra_data *is another allowed field used by OSSEC decoders to extract information from the event, once it is extracted you can match the field content in order to create a rule. The content of extra_data depends on the decoder which extracted it, in Windows decoders

[ossec-list] Re: Windows Defender Decoder ?

2016-05-18 Thread Rob B
Nice! Thanks Pedro! I've got it now.. Cheers. On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote: > > Hi Rob, > > *extra_data *is another allowed field used by OSSEC decoders to extract > information from the event, once it is extracted you can match the field > content in order

[ossec-list] Re: Windows Defender Decoder ?

2016-05-19 Thread Jesus Linares
Hi Brent, Your rules are in OSSEC by default (with other ID, why?) but you added a few new rules. could you send a PR to OSSEC or Wazuh with your new rules?. Thanks. On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote: > > Nic

[ossec-list] Re: Windows Defender Decoder ?

2016-05-20 Thread Brent Morris
Hi Jesus, Yeah, I think I submitted a pull request into OSSEC some time back on this... If memory serves, the other IDs are because I used the existing MS ID schema for OSSEC. The odd IDs are just because these live in my local_rules.xml in production. Sadly, I haven't had the time to update

[ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread Ed Davison
It would be great to see the decoder entries that go with these rules ... I know this is an older post but maybe you are still around and can share the decoder and maybe the plugin as well? On Monday, May 16, 2016 at 4:22:08 PM UTC-5, Brent Morris wrote: > > Rob - can you post your OSSEC versio

Re: [ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread dan (ddp)
On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison wrote: > It would be great to see the decoder entries that go with these rules ... I > know this is an older post but maybe you are still around and can share the > decoder and maybe the plugin as well? > If you can provide log samples, we can work on

Re: [ossec-list] Re: Windows Defender Decoder ?

2017-03-03 Thread Ed Davison
On Wednesday, March 1, 2017 at 7:31:58 PM UTC-6, dan (ddpbsd) wrote: > > On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison > wrote: > > It would be great to see the decoder entries that go with these rules > ... I > > know this is an older post but maybe you are still around and can share > the >