0

I have a powershell rule in /var/ossec/etc/rules/local_rules.xml
The rule is: 
 <group name="sysmon,">
   <rule id="255000" level="12">
   <if_group>sysmon_event1</if_group>
   <field name="sysmon.image">\\powershell.exe||\\.ps1||\\.ps2</field>
   <description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
   <group>sysmon_event1,powershell_execution,</group>
   </rule>
</group>

As you can see, the rule.level is 12. But when I have a look alerts.json, I see this result.

{"timestamp":"2022-02-02T00:29:24.590-0800","rule":{"level":8,"description":"Sysmon - Event 1: Process creation Windows PowerShell","id":"61603","firedtimes":5,"mail":false,"groups":["windows","sysmon",>

The rule.level is 8. What can be problem and How can I fix it?

ouflak
  • 2,458
  • 10
  • 44
  • 49
muyuka
  • 19
  • 6

1 Answers1

1

As you can see in the alerts.json excerpt, the problem is that the event is not matching with your custom rule but with the rule with ID 61603, which has a different severity level. That's the reason why the severity level doesn't match with the one you expect.

We can conclude that your custom rule is not working as expected. Please, post the log you are trying to create the rule for so we can better help you write it.

Gonzz
  • 26
  • 3
  • 1
    Sorry for my late response. Thank you for your help. I didn't notice that the event is not matching with my custom rule. And I fixed the problem. – muyuka Feb 03 '22 at 12:00