Ruleset update to support new Sysmon 10 capabilities

[Zenidd]

Hi team,

Let's make Wazuh-Ruleset support events including new features on Sysmon 10.

Sysmon 10 new features to check:

• [x] DNS query logging
• [x] OriginalFileName field in process creation and load image events
• [x] ImageName field for named pipe events
• [x] pico process creation and termination logging
  Best regards,

Juan Pablo Sáez

[itpropaul]

Thanks for creating it so quickly after Sysmon v10 was released. I'll be sure to try out rules made here once you start developing them.

[Lopuiz]

Hello team

The main Sysmon rules are already created.

Now you have to create rules that generate alerts. There are two options:

• Create a rule for each program you want to analyze.
• Create a CBD list with all the programs you want to analyze.

Maybe the second option is the best because users will be able to modify this list and add or remove the programs they want. Otherwise, users will have to create their own rules to analyze these programs.

In addition, it must be determined for which programs will generate alerts.

Regards, Eva

[itpropaul]

What about additions to the decoder? For example should there be an entry in https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml for the new Event ID 22: DNSEvent (DNS query)?

[Lopuiz]

Hi Paul,

Thank you for your feedback. Unfortunately, it's not possible to create decoders for the eventlog format, as it only supports the main channels, system, security, and application. The decoder file that you are referring to matches eventlog logs and eventchannel logs older than 3.8 version. Since the 3.8 version, the eventchannel's decoder is implemented in C. And it's only necessary to create rules. Which is your Wazuh version? We are going to add decoders and rules to 3.7 version and rules for the new eventchannel from 3.8.

Regards, Eva.

[itpropaul]

We're on the latest version, 3.9.2. Thanks for your work on this invaluable feature!