Standardize Your SIEM Logs Now!

Рет қаралды 5,430

Taylor Walton

Күн бұрын

Пікірлер: 12

@aayushghimire1434 2 жыл бұрын

Also where the part where you created the GeoIP lookup:data_win_eventdata_destinationIp pipeline rules ???

@maximojimeno Жыл бұрын

could you find the solution? I have the same problem

@enderst81 2 жыл бұрын

I must have missed where we installed Sysmon for Linux. BTW this has been an awesome series.

@taylorwalton_socfortress 2 жыл бұрын

Haven’t covered that but there is an install guide in the repo: github.com/Sysinternals/SysmonForLinux

@monkinsane 11 ай бұрын

@@taylorwalton_socfortress Could you please share your linux sysmon config.xml file?

@leoasis11 2 жыл бұрын

Thank you for sharing your knowledge, love the vid

@maximojimeno Жыл бұрын

en que parte configura el GeoIP lookup:data_win_eventdata_destinationIp pipeline rules ?

@vinyldown8490 Жыл бұрын

This is dooope!! ty

@monkinsane 11 ай бұрын

Hi, First of all - thanx for the vids. Just wondering why your using sysmon for linux when your howto on agent install install packetbeat? This causes the linux normalization to not work for people following your howto.

@1222dss 2 жыл бұрын

is there any way to normalize logs within Wazuh? I've run into similar problem with Suricata logs where IP had different syntax and extracted field couldn't be used by active responses.

@taylorwalton_socfortress 2 жыл бұрын

Hey Kotory, you can but it is alittle complicated, you will need to create a custom wazuh decoder to match on the field name that suricata writes the destination ip to and map that to `dst_ip` (or whatever field name wazuh needs for the default active response - i forgot what that is off the top of my head).

@maximojimeno Жыл бұрын

I had the same problem and I was able to solve it with this rule "GreyNoise Lookup on DestIP" when has_field("dst-ip") then let ldata = lookup( rename_field("dst-ip", "DestIP"); lookup_table: "greynoise", key: to_string($message.DestIP) ); set_fields( fields: ldata, prefix: "greynoise_" ); end