Last active
March 11, 2023 15:58
-
-
Save cyberno-ir/cf70e2c4d2fb9b53db3c1b18f2b8c3f3 to your computer and use it in GitHub Desktop.
Cyberno decoder and rule for Wazuh XDR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <decoder name="kiosk"> | |
| <program_name>main</program_name> | |
| </decoder> | |
| <decoder name="kiosk_child"> | |
| <parent>kiosk</parent> | |
| <prematch>User_Email: (\S*) User_IP: (\S*) User_Agent: (\.*) Log: (\.*) Extra: </prematch> | |
| <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder> | |
| </decoder> | |
| <decoder name="kiosk_child"> | |
| <parent>kiosk</parent> | |
| <regex>User_Email: (\S*) User_IP: (\S*) User_Agent: (\.*) Log: (\.*) Extra: (\.*)</regex> | |
| <order>email,ip,useragent,log,extra</order> | |
| </decoder> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- Cyberno Kiosk Rule --> | |
| <group name="kiosk,"> | |
| <rule id="151003" level="7"> | |
| <field name="log">The user has entered a wrong email/password.</field> | |
| <description>$(log)</description> | |
| <group>authentication_failed,syslog</group> | |
| </rule> | |
| <rule id="151004" level="3"> | |
| <field name="log">The user has successfully logged out.</field> | |
| <description>$(log)</description> | |
| <group>authentication_success,syslog</group> | |
| </rule> | |
| <rule id="151005" level="3"> | |
| <field name="log">Unsuccessful attempt to change password.</field> | |
| <description>$(log)</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151006" level="3"> | |
| <field name="log">The user has successfully logged in.</field> | |
| <description>$(log)</description> | |
| <group>authentication_success,syslog</group> | |
| </rule> | |
| <rule id="151007" level="5"> | |
| <field name="log">The user has requested to reset the password.</field> | |
| <description>$(log)</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151008" level="5"> | |
| <field name="log">The user password has been changed.</field> | |
| <description>$(log)</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151009" level="5"> | |
| <decoded_as>kiosk</decoded_as> | |
| <field name="log">Scan (\.*) has been started.</field> | |
| <description>Scan started.</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151010" level="0"> | |
| <decoded_as>kiosk</decoded_as> | |
| <field name="log">Scan (\.*) has been finished.</field> | |
| <description>Scan finished.</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151011" level="12"> | |
| <if_sid>151010</if_sid> | |
| <field name="extra" negate="yes">{"malware": {"normal": {}, "compressed": {}}</field> | |
| <description>Scan finished. Malware found.</description> | |
| <group>syslog</group> | |
| </rule> | |
| <rule id="151012" level="5"> | |
| <if_sid>151010</if_sid> | |
| <field name="extra">{"malware": {"normal": {}, "compressed": {}}</field> | |
| <description>Scan finished. All files are clean.</description> | |
| <group>syslog</group> | |
| </rule> | |
| </group> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment