Introduction
In today’s interconnected digital landscape, cybersecurity has become a paramount concern for organisations and individuals alike. As cyber threats continue to evolve, so too must the defensive measures put in place to protect sensitive data and critical systems. Blue team operations, which focus on defensive strategies and incident response, play a vital role in safeguarding against cyberattacks. This article explores the significance of Wazuh decoders in blue team operations, with a particular focus on a custom decoder designed to handle Comodo antivirus logs.
Understanding Blue Team Operations
Blue team operations are an integral part of cybersecurity, representing the defensive side of the field. Blue teams are responsible for identifying and mitigating security threats, responding to incidents, and implementing proactive measures to protect an organisation’s digital assets. These operations involve a combination of people, processes, and technologies designed to enhance an organisation’s overall security posture.
Wazuh: A Powerful Blue Team Tool
Wazuh is an open-source security monitoring platform that has gained popularity in blue team circles due to its versatility and effectiveness, as well as the project being open source. It allows security professionals to monitor their environment for security incidents, detect vulnerabilities, and respond to threats promptly. One of the key features of Wazuh is its decoder system, which is used to interpret and normalise log data from various sources.
Custom Decoders in Wazuh
Custom decoders in Wazuh are essential for parsing and normalising log data from sources that may not have native support. They enable security teams to analyse logs efficiently and respond to incidents effectively.
Custom Decoder: Handling Comodo Antivirus Logs
One of the more exciting aspects of blue team operations is the ability to create custom decoders tailored to the specific needs of an organisation. As an example, let’s delve into a custom Comodo antivirus decoder, designed to handle Comodo antivirus logs.
Please see below the custom decoder:
<decoder name="comodoparent"> <prematch>CEF:0\|comodo</prematch> </decoder> <decoder name="comodomalwaredetection"> <parent>comodoparent</parent> <use_own_name>true</use_own_name> <prematch>Malware Detected\|10</prematch> <regex type="pcre2">CEF:0\|comodo\|cis\.ccs\|[^\|]+\|[^\|]+\|Malware Detected\|[^\|]+\|filePath=([^\s]+) fname=[^\s]+ act=([^\s]+) reason=[^\s]+ cat=[^\s]+ cs1Label=[^\s]+ cs1=[^\s]+ cs2Label=[^\s]+ cs2=[^\s]+ cs4Label=[^\s]+ cs4=[^\s]+ suser=[^\s]+ spriv=[^\s]+ deviceNtDomain=[^\s]+ ssid=[^\s]+ fileHash=([^\s]+) dvchost=([^\s]+) dvc=[^\s]+ deviceExternalId=[^\s]+</regex> <order>filePath, act, filehash, dvchost</order> </decoder> <decoder name="comodomalwaredeletion"> <parent>comodoparent</parent> <use_own_name>true</use_own_name> <prematch>Malware Deleted\|7</prematch> <regex type="pcre2">CEF:0\|comodo\|cis\.ccs\|[^\|]+\|[^\|]+\|Malware Deleted\|[^\|]+\|filePath=([^\s]+) fname=[^\s]+ act=([^\s]+) reason=[^\s]+ cat=[^\s]+ cs1Label=[^\s]+ cs1=[^\s]+ cs2Label=[^\s]+ cs2=[^\s]+ cs4Label=[^\s]+ cs4=[^\s]+ dvchost=([^\s]+) dvc=[^\s]+ deviceExternalId=[^\s]+</regex> <order>filePath, act, dvchost</order> </decoder> <decoder name="comodomalwarequarantine"> <parent>comodoparent</parent> <use_own_name>true</use_own_name> <prematch>Malware Quarantined\|7</prematch> <regex type="pcre2">CEF:0\|comodo\|cis\.ccs\|[^\|]+\|[^\|]+\|Malware Quarantined\|[^\|]+\|filePath=([^\s]+) fname=[^\s]+ act=([^\s]+) reason=[^\s]+ cat=[^\s]+ cs1Label=[^\s]+ cs1=[^\s]+ cs2Label=[^\s]+ cs2=[^\s]+ cs4Label=[^\s]+ cs4=[^\s]+ dvchost=([^\s]+) dvc=[^\s]+ deviceExternalId=[^\s]+</regex> <order>filePath, act, dvchost</order> </decoder> <decoder name="comodomalwarecontained"> <parent>comodoparent</parent> <use_own_name>true</use_own_name> <prematch>HIPS Event\|5\|act=contained</prematch> <regex type="pcre2">CEF:0\|comodo\|cis\.ccs\|[^\|]+\|[^\|]+\|HIPS Event\|[^\|]+\|act=([^\s]+) reason=[^\s]+ cat=[^\s]+ filePath=([^\s]+) fname=[^\s]+ fileHash=([^\s]+) dvchost=([^\s]+) dvc=[^\s]+ deviceExternalId=[^\s]+</regex> <order>act, filePath, fileHash, dvchost</order> </decoder>
The Comodo antivirus decoder is comprised of multiple sub-decoders, created to handle various types of Comodo antivirus log messages. Let’s break down the key components:
comodoparent: This is the parent decoder that identifies Comodo log entries with the prematch condition “CEF:0|comodo.” It serves as the foundation for the other decoders.
comodomalwaredetection: This decoder is designed to handle logs related to malware detection. It identifies logs with the prematch condition “Malware Detected|10” and extracts relevant information like file paths, actions, and file hashes.
comodomalwaredeletion: This decoder processes logs related to malware deletion, identifying entries with the prematch condition “Malware Deleted|7” and extracting file paths and actions.
comodomalwarequarantine: This decoder handles logs related to malware quarantine, identifying entries with the prematch condition “Malware Quarantined|7” and extracting file paths and actions.
This would be paired with a ruleset as defined below:
<rule id="110002" level="12">
<decoded_as>comodoparent</decoded_as>
<description>OpenEDR has logged an event</description>
</rule>
<rule id="110003" level="12">
<match>comodo</match>
<description>OpenEDR has logged an event</description>
</rule>
Resulting in the below outputted logs(archives.log) from a virtual machine:
2023 Jan 26 00:29:28 (DESKTOP-DUC9BUG) any->EventChannel {"win":{"system":{"providerName":"Antivirus","eventID":"2","version":"0","level":"3","task":"26","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-01-26T00:25:17.1095649Z","eventRecordID":"5901","processID":"0","threadID":"0","channel":"COMODO Client - Security CEF","computer":"DESKTOP-DUC9BUG","severityValue":"WARNING","message":"\"Jan 26 2023 00:25:17 0000 DESKTOP-DUC9BUG CEF:0|comodo|cis.ccs|12.10.0.8697|5C8DB4B6-21F0-4BD5-8C9A-D7DE23314807|Malware Detected|10|filePath=C:\\Users\\Test01\\Desktop\\testfinal.txt fname=testfinal.txt act=Detect reason=av_realtime cat=av cs1Label=malware_name cs1=Malware@#2975xfk8s2pq1 cs2Label=signature_id cs2=2975xfk8s2pq1 cs4Label=engine_ver cs4=35356 suser=SYSTEM spriv=Administrator deviceNtDomain=NT<space>AUTHORITY ssid=SYSTEM fileHash=3395856CE81F2B7382DEE72602F798B642F14140 dvchost=DESKTOP-DUC9BUG dvc=169.254.226.200 deviceExternalId=F9E2D4EA8A7C91452769F6946D7889030A92897A \""},"eventdata":{"data":"Jan 26 2023 00:25:17 0000 DESKTOP-DUC9BUG CEF:0|comodo|cis.ccs|12.10.0.8697|5C8DB4B6-21F0-4BD5-8C9A-D7DE23314807|Malware Detected|10|filePath=C:\\\\Users\\\\Test01\\\\Desktop\\\\testfinal.txt fname=testfinal.txt act=Detect reason=av_realtime cat=av cs1Label=malware_name cs1=Malware@#2975xfk8s2pq1 cs2Label=signature_id cs2=2975xfk8s2pq1 cs4Label=engine_ver cs4=35356 suser=SYSTEM spriv=Administrator deviceNtDomain=NT<space>AUTHORITY ssid=SYSTEM fileHash=3395856CE81F2B7382DEE72602F798B642F14140 dvchost=DESKTOP-DUC9BUG dvc=169.254.226.200 deviceExternalId=F9E2D4EA8A7C91452769F6946D7889030A92897A"}}}
Test output
**Messages:
WARNING: (7003): '383fde44' token expires
INFO: (7202): Session initialized with token '68942d53'
**Phase 1: Completed pre-decoding.
full event: '2023 Jan 26 00:29:28 (DESKTOP-DUC9BUG) any->EventChannel {"win":{"system":{"providerName":"Antivirus","eventID":"2","version":"0","level":"3","task":"26","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-01-26T00:25:17.1095649Z","eventRecordID":"5901","processID":"0","threadID":"0","channel":"COMODO Client - Security CEF","computer":"DESKTOP-DUC9BUG","severityValue":"WARNING","message":"\"Jan 26 2023 00:25:17 0000 DESKTOP-DUC9BUG CEF:0|comodo|cis.ccs|12.10.0.8697|5C8DB4B6-21F0-4BD5-8C9A-D7DE23314807|Malware Detected|10|filePath=C:\\Users\\Test01\\Desktop\\testfinal.txt fname=testfinal.txt act=Detect reason=av_realtime cat=av cs1Label=malware_name cs1=Malware@#2975xfk8s2pq1 cs2Label=signature_id cs2=2975xfk8s2pq1 cs4Label=engine_ver cs4=35356 suser=SYSTEM spriv=Administrator deviceNtDomain=NT<space>AUTHORITY ssid=SYSTEM fileHash=3395856CE81F2B7382DEE72602F798B642F14140 dvchost=DESKTOP-DUC9BUG dvc=169.254.226.200 deviceExternalId=F9E2D4EA8A7C91452769F6946D7889030A92897A \""},"eventdata":{"data":"Jan 26 2023 00:25:17 0000 DESKTOP-DUC9BUG CEF:0|comodo|cis.ccs|12.10.0.8697|5C8DB4B6-21F0-4BD5-8C9A-D7DE23314807|Malware Detected|10|filePath=C:\\\\Users\\\\Test01\\\\Desktop\\\\testfinal.txt fname=testfinal.txt act=Detect reason=av_realtime cat=av cs1Label=malware_name cs1=Malware@#2975xfk8s2pq1 cs2Label=signature_id cs2=2975xfk8s2pq1 cs4Label=engine_ver cs4=35356 suser=SYSTEM spriv=Administrator deviceNtDomain=NT<space>AUTHORITY ssid=SYSTEM fileHash=3395856CE81F2B7382DEE72602F798B642F14140 dvchost=DESKTOP-DUC9BUG dvc=169.254.226.200 deviceExternalId=F9E2D4EA8A7C91452769F6946D7889030A92897A"}}}'
timestamp: '2023 Jan 26 00:29:28'
**Phase 2: Completed decoding.
name: 'comodomalwaredetection'
parent: 'comodoparent'
act: 'Detect'
dvchost: 'DESKTOP-DUC9BUG'
filePath: 'C:\\Users\\Test01\\Desktop\\testfinal.txt'
filehash: '3395856CE81F2B7382DEE72602F798B642F14140'
**Phase 3: Completed filtering (rules).
id: '110003'
level: '12'
description: 'OpenEDR has logged an event'
groups: '["openedr"]'
firedtimes: '1'
mail: 'true'
**Alert to be generated.
Conclusion
In the ever-evolving landscape of cybersecurity, blue team operations are essential for protecting organisations from cyber threats. Custom decoders, like the Comodo decoder discussed here, play a crucial role in enhancing the capabilities of security monitoring platforms like Wazuh. By normalising and structuring log data, these decoders enable security teams to detect and respond to security incidents more effectively.
This custom decoder is not just a tool; it’s an invitation to the cybersecurity community to build upon it, refine it, and create more custom solutions tailored to the evolving threat landscape. Together, we can make significant strides in defending against cyber threats and securing our digital future. If you would like to learn more, please see this link for Wazuhs documentation on decoders.