Juan Pablo Sáez Gutiérrez
Juan Pablo Sáez Gutiérrez
Hi @hmbg, Using your configuration I have successfully recreated the environment of your issue: ```** Alert 1561376309.1696329: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f, 2019 Jun 24 13:38:29 (ssh_integrity_check_linux) [email protected]>syscheck Rule: 550 (level 7) ->...
Hi @DisMeo, Thanks for your contribution, we are going to review it and it will be added to the Wazuh ruleset. Best regards, Juan Pablo Sáez
Hi @Bob-Andrews, First of all, we're really sorry for the late response. We reviewing your contribution and adding it to Wazuh-ruleset as soon as possible. Best regards, Juan Pablo Sáez
Hello @kravietz, First of all, thanks for your contribution and sorry for the late reply. Could you paste here several example logs so I can check your decoders and rules?...
Hello again @kravietz, Thanks for your patience, I saw today that you had already included these two dummy events on the `0485-falco.xml` file. Below is the output for the two...
Hello @kravietz, I'm sorry for the late response, I hope you're doing well. Please, could you create a `test.ini` unit tests file related to the added rules?. I forgot to...
Hello @neonmei, > Ran a lab test and found a small issue -unrelated to changes introduced by this PR- in roles/wazuh/ansible-wazuh-manager/templates/agentless.j2. Observed problem is the following: https://ossec-list.narkive.com/kGDldPMd/ossec-agentless-questions > > Once...
Hello @Bob-Andrews, Sorry for the late reply. Our team is going to review your contribution and see if it is possible to add it to Wazuh-ruleset. Thank you for participating...
- The new commit on this PR adds some rule for authentication events on mac that look like this: `Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result:...
- Now the rule is able to output which user was the target of the log attempt: Event log: `Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result:...