Wazuh SIEM Integrations (II) — WithSecure Elements EPP

Intro

WithSecure Elements EPP — Events and alerts in WinEvtLogs

Integrating WithSecure Elements EPP in Wazuh SIEM

<localfile>
<location>FSecureUltralightSDK</location>
<log_format>eventchannel</log_format>
</localfile>
<group name="windows,">
<rule id="200450" level="3">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^1$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Notification</description>
</rule>
<rule id="200451" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^2$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Virus/Malware Infection Detected</description>
</rule>
<rule id="200452" level="5">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^7$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Network Interceptor</description>
</rule>
<rule id="200453" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^7$</field>
<field name="win.eventdata.rl">block_page$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Network Interceptor, Web Access Blocked</description>
</rule>
<rule id="200454" level="12">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^F-Secure Ultralight SDK$</field>
<field name="win.system.eventID">^6$</field>
<options>no_full_log</options>
<group>fsecure,</group>
<description>F-Secure EPP - Process/App Blocked</description>
</rule>
</group>

WithSecure Elements EPP — Events and Alerts in SOCFortress Platform

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).