forked from branchnetconsulting/wazuh-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sophos-central-wazuh-rules.xml
144 lines (120 loc) · 4.43 KB
/
sophos-central-wazuh-rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
<group name="sophos,">
<rule id="102000" level="3">
<decoded_as>json</decoded_as>
<field name="datastream">^event$</field>
<description>Sophos Event</description>
</rule>
<rule id="102001" level="0">
<if_sid>102000</if_sid>
<field name="name">^Restore failed: </field>
<description>Sophos Restore Failed Noise</description>
</rule>
<rule id="102002" level="12">
<if_sid>102000</if_sid>
<field name="type">Threat::</field>
<description>Sophos Threat Detected</description>
</rule>
<rule id="102004" level="5">
<if_sid>102002</if_sid>
<field name="type">Threat::CleanedUp|Threat::PuaCleanedUp</field>
<description>Sophos Threat CleanedUp</description>
</rule>
<rule id="102006" level="12">
<if_sid>102002</if_sid>
<field name="type">Threat::PuaDetected</field>
<description>Sophos PUA Threat Detected</description>
</rule>
<rule id="102008" level="12">
<if_sid>102002</if_sid>
<field name="type">Threat::IpsInboundDetection</field>
<description>Sophos IPS Threat Detected</description>
</rule>
<rule id="102010" level="12">
<if_sid>102002</if_sid>
<field name="type">Threat::Dismissed|Threat::PuaDismissed</field>
<description>Sophos Threat Dismissed</description>
</rule>
<rule id="102012" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::CorePuaDetected</field>
<field name="group">^PUA$</field>
<description>Sophos PUA Detected</description>
</rule>
<rule id="102014" level="5">
<if_sid>102000</if_sid>
<field name="type">Endpoint::WebControlViolation</field>
<description>Sophos Web Control Violation</description>
</rule>
<rule id="102016" level="10">
<if_sid>102000</if_sid>
<field name="type">Endpoint::WindowsFIrewall::Blocked</field>
<description>Sophos App Block by Windows Firewall</description>
</rule>
<rule id="102018" level="10">
<if_sid>102000</if_sid>
<field name="type">Endpoint::UpdateRebootRequired</field>
<description>Sophos Update is Waiting for Reboot</description>
</rule>
<rule id="102020" level="1">
<if_sid>102000</if_sid>
<field name="type">Endpoint::UpdateSuccess</field>
<description>Sophos Update Success</description>
</rule>
<rule id="102022" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::ServiceNotRunning</field>
<description>Sophos One or more Sophos Services Not Running</description>
</rule>
<rule id="102024" level="1">
<if_sid>102000</if_sid>
<field name="type">Endpoint::ServiceRestored</field>
<description>Sophos Service(s) Restored</description>
</rule>
<rule id="102026" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::UpdateFailure</field>
<description>Sophos Update Failed</description>
</rule>
<rule id="102028" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::CorePuaCleanFailed</field>
<description>Sophos Manaul PUA Cleanup Required</description>
</rule>
<rule id="102030" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::NotProtected</field>
<description>Sophos Installation Not Successful</description>
</rule>
<rule id="102032" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::CoreReboot|Endpoint::CorePuaReboot</field>
<field name="group">^MALWARE$|^PUA$</field>
<description>Sophos Device Reboot Required to Complete Cleanup</description>
</rule>
<rule id="102034" level="0">
<if_sid>102014</if_sid>
<field name="name">translate.google.com</field>
<description>Sophos Google translate Block</description>
</rule>
<rule id="102040" level="5">
<if_sid>102000</if_sid>
<field name="name">Peripheral allowed: error</field>
<description>Sophos Peripheral Device Allowed</description>
</rule>
<rule id="102042" level="15">
<if_sid>102000</if_sid>
<field name="name">malicious behavior detected</field>
<group>rt_alert,</group>
<description>Sophos Need Immediate Action - Probably Malware Detected on Device</description>
</rule>
<rule id="102044" level="12">
<if_sid>102000</if_sid>
<field name="type">Endpoint::HmpaExploitPrevented</field>
<description>Sophos Exploit Prevented</description>
</rule>
<rule id="102046" level="0">
<if_sid>102000</if_sid>
<field name="type">Event::Endpoint::Device::AlertedOnly</field>
<description>Sophos Peripheral Allowed</description>
</rule>
</group>