Add a test for a Windows 2003 R2 log from Brent Morris.

ossec · May 15, 2015 · 6c91c45 · 6c91c45
1 parent 89f8f18
commit 6c91c45
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/contrib/ossec-testing/tests/sysmon.ini b/contrib/ossec-testing/tests/sysmon.ini
@@ -9,3 +9,10 @@ log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 2
 rule = 184667
 alert = 0
 decoder = Sysmon-EventID#1
+
+[Windows Event]
+2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create:      UtcTime: 3/30/2015 10:47:04.494 PM      ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06}      ProcessId: 4388      Image: C:\WINDOWS\system32\cmd.exe      CommandLine: "C:\windows\system32\cmd.exe"       User: SYSTEM-NAME\UserName      LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906}      LogonId: 0x6192cf6      TerminalSessionId: 3      IntegrityLevel: no level      HashType: SHA1      Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D      ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906}      ParentProcessId: 1008      ParentImage: C:\WINDOWS\explorer.exe      ParentCommandLine: C:\windows\Explorer.EXE
+rule = 18101
+alert = 0
+decoder = Sysmon-EventID#1
+