From a9341bc35eca159192a2fc94481bc12599ef2cd6 Mon Sep 17 00:00:00 2001
From: Fede Tux <federico.galland@wazuh.com>
Date: Mon, 9 Sep 2024 11:44:40 -0300
Subject: [PATCH] Remove ossec references from sample events

---
 .../tools/events-generator/wazuh-alerts/alerts.json      | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json
index 207ed5db04754..d3aea442be327 100644
--- a/integrations/tools/events-generator/wazuh-alerts/alerts.json
+++ b/integrations/tools/events-generator/wazuh-alerts/alerts.json
@@ -1048,7 +1048,6 @@
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503"}, "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3602, "level": 3, "status": "enabled", "details": {"if_sid": "3600", "match": "Authenticated user="}, "pci_dss": ["10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "imapd"], "description": "Imapd user login."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2960, "level": 2, "status": "enabled", "details": {"decoded_as": "gpasswd", "match": "added by"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 550, "level": 7, "status": "enabled", "details": {"category": "wazuh", "decoded_as": "syscheck_integrity_changed"}, "pci_dss": ["11.5"], "gpg13": ["4.11"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["syscheck", "wazuh"], "description": "Integrity checksum changed."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5403, "level": 4, "status": "enabled", "details": {"if_sid": "5400", "if_fts": ""}, "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "First time user executed sudo."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5402, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo to ROOT executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3105, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain is not found  (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
@@ -1067,7 +1066,6 @@
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3102, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=451 4.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain does not have any valid MX record (Requested action aborted)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3154, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3105", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5501, "level": 3, "status": "enabled", "details": {"if_sid": "5500", "match": "session opened for user "}, "pci_dss": ["10.2.5"], "gpg13": ["7.8", "7.9"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "pam", "syslog"], "description": "PAM: Login session opened."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 504, "level": 3, "status": "enabled", "details": {"if_sid": "500", "match": "Agent disconnected"}, "pci_dss": ["10.6.1", "10.2.6"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "AU.14", "AU.5"], "tsc": ["CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["wazuh"], "description": "Ossec agent disconnected."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3304, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^503$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3152, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3103", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3303, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^450$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Sender domain is not found (450: Requested mail action not taken)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
@@ -1079,15 +1077,10 @@
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2961, "level": 5, "status": "enabled", "details": {"if_sid": "2960", "group": "sudo"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group sudo."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3351, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "90", "if_matched_sid": "3301", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple relaying attempts of spam."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5304, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user|succeeded for|", "^+|^S+ to |^SU S+ S+ + "]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 592, "level": 8, "status": "enabled", "details": {"if_sid": "500", "match": "^ossec: File size reduced"}, "pci_dss": ["10.5.2", "11.4"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.9", "SI.4"], "tsc": ["CC6.1", "CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["attacks", "wazuh"], "description": "Log file size reduced."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3851, "level": 9, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "ignore": "120", "if_matched_sid": "3801", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail attempts to an invalid account."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5132, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "module verification failed"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Unsigned kernel module was loaded"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 553, "level": 7, "status": "enabled", "details": {"category": "wazuh", "decoded_as": "syscheck_deleted"}, "pci_dss": ["11.5"], "gpg13": ["4.11"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Impact"], "id": ["T1107", "T1485"], "technique": ["File Deletion", "Data Destruction"]}, "groups": ["syscheck", "wazuh"], "description": "File deleted."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 505, "level": 3, "status": "enabled", "details": {"if_sid": "500", "match": "Agent removed"}, "pci_dss": ["10.6.1", "10.2.6"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "AU.14", "AU.5"], "tsc": ["CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["wazuh"], "description": "Ossec agent removed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5631, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "120", "if_matched_sid": "5602", "same_source_ip": ""}, "gdpr": ["IV_35.7.d", "IV_32.2"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Multiple connection attempts from same source (possible scan)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4339, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111003"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration deleted."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 518, "level": 9, "status": "enabled", "details": {"if_sid": "514", "match": "Adware|Spyware"}, "gpg13": ["4.2"], "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Lateral Movement"], "id": ["T1017"], "technique": ["Application Deployment Software"]}, "groups": ["rootcheck", "wazuh"], "description": "Windows Adware/Spyware application found."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 597, "level": 5, "status": "enabled", "details": {"category": "wazuh", "if_sid": "553", "hostname": "syscheck-registry"}, "pci_dss": ["11.5"], "gpg13": ["4.13"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Impact"], "id": ["T1107", "T1485"], "technique": ["File Deletion", "Data Destruction"]}, "groups": ["syscheck", "wazuh"], "description": "Registry Entry Deleted."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5701, "level": 8, "status": "enabled", "details": {"if_sid": "5700", "match": "Bad protocol version identification"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1190"], "technique": ["Exploit Public-Facing Application"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: Possible attack on the ssh server (or version gathering)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3651, "level": 10, "status": "enabled", "details": {"frequency": "$IMAPD_FREQ", "timeframe": "120", "if_matched_sid": "3601", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "imapd"], "description": "Imapd Multiple failed logins from same source ip."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5407, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
@@ -1120,14 +1113,12 @@
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3355, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3305", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3397, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "RBL"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: RBL lookup error: Host or domain name not found"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3305, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^504$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 594, "level": 5, "status": "enabled", "details": {"category": "wazuh", "if_sid": "550", "hostname": "syscheck-registry"}, "pci_dss": ["11.5"], "gpg13": ["4.13"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["syscheck", "wazuh"], "description": "Registry Integrity Checksum Changed"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3356, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "ignore": "30", "if_matched_sid": "3306", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5133, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "PKCS#7 signature not signed with a trusted key"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Signed but untrusted kernel module was loaded"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3357, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "3332", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "postfix"], "description": "Postfix: Multiple SASL authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2551, "level": 10, "status": "enabled", "details": {"if_sid": "2550", "regex": "^Connection from S+ on illegal port$"}, "pci_dss": ["10.6.1"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Discovery"], "id": ["T1046"], "technique": ["Network Service Scanning"]}, "groups": ["connection_attempt", "syslog", "access_control"], "description": "Connection to rshd from unprivileged port. Possible network scan."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3910, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "30", "if_matched_sid": "3902", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "courier"], "description": "Courier brute force (multiple failed logins)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4325, "level": 8, "status": "enabled", "details": {"if_sid": "4313", "id": "^4-405001"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "pix"], "description": "PIX: ARP collision detected."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
-{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 593, "level": 9, "status": "enabled", "details": {"if_sid": "500", "match": "^ossec: Event log cleared"}, "pci_dss": ["10.5.2"], "gpg13": ["10.1"], "gdpr": ["II_5.1.f", "IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.9"], "tsc": ["CC6.1", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1070"], "technique": ["Indicator Removal on Host"]}, "groups": ["logs_cleared", "wazuh"], "description": "Microsoft Event log cleared."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5104, "level": 8, "status": "enabled", "details": {"if_sid": "5100", "regex": ["Promiscuous mode enabled|", "device S+ entered promiscuous mode"]}, "pci_dss": ["10.6.1", "11.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Discovery"], "id": ["T1040"], "technique": ["Network Sniffing"]}, "groups": ["promisc", "syslog", "linuxkernel"], "description": "Interface entered in promiscuous(sniffing) mode."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "5503", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "pam", "syslog"], "description": "PAM: Multiple failed logins in a small period of time."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"}
 {"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3335, "level": 6, "status": "enabled", "details": {"if_sid": "3320", "match": "^too many "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: too many errors after RCPT from unknown"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}