Hey Johnny, I really appreciate the kind words! I am glad you find my videos helpful and feel free to recommend any new tools or features you would like to see, as long as they are open source of course :). Thanks for watching!

I second this!

Hey Adrien, your first question is correct. Ya a rule could check the field of the audit.execve fields for /etc/password, or whatever else you would like to search for

Correct. Also ensure you grab the ruleset from github

I'll have to check that out!

Hi Emerson, I have some doubts with your question, do you want to run commands in Windows and monitor the output of the commands or do you want to monitor if a command was executed? In the first case, Wazuh has a functionality that allows you to get the output command with a custom rule if you create it. The following section of the documentation explains how it works: Wazuh-Documentation->user-manual->capabilities->command-monitoring Please, you should follow these steps to use the feature: 1. Set the logcollector.remote_command flag to 1 in local_internal_options.conf file. 2. Add the localfile section in ossec.conf or agent.conf depending on whether you want to share the configuration with a group of agents or configure it for a specific agent. 3. Create a rule to receive the alert in the manager. In the following section of the documentation, there are interesting examples on command monitoring. Wazuh-Documentation->user-manual->capabilities->command-monitoring->command-configuration In the second case, you can configure windows agents to monitor Sysmon events The following blog explains how to configure it: Wazuh-page->blog->using-wazuh-to-monitor-sysmon-events I hope it helps.