Missing who-data decoders and rules

Author: jesuslinares

CHANGELOG.md

@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 ## [v3.4.0]
 
+### Added
+
+  - Decoder for syscheck integration with audit.
+
 ### Changed
 
   - Removed offset of the `frequency` attribute in rules. ([#145](https://github.com/wazuh/wazuh-ruleset/pull/145))

VERSION

@@ -1,2 +1,2 @@
 RULESET_VERSION="v3.4.0"
-REVISION="3400"
+REVISION="3401"

decoders/0200-ossec_decoders.xml

@@ -20,6 +20,15 @@
   <order>extra_data</order>
 </decoder>
 
+<!-- ossec: Audit: Detected rules manipulation: Rule removed -->
+<decoder name="ossec-syscheck-audit">
+  <parent>ossec</parent>
+  <type>ossec</type>
+  <prematch offset="after_parent">^Audit:</prematch>
+  <regex offset="after_prematch">^ (\.+)</regex>
+  <order>extra_data</order>
+</decoder>
+
 <decoder name="ossec-agent">
   <parent>ossec</parent>
   <type>ossec</type>

rules/0015-ossec_rules.xml

@@ -107,6 +107,13 @@
     <group>rootcheck,gdpr_IV_30.1.g,</group>
   </rule>
 
+  <rule id="517" level="7">
+    <if_sid>500</if_sid>
+    <match>^ossec: Audit:</match>
+    <description>Syscheck Audit: $(extra_data)</description>
+    <group>syscheck,gdpr_II_5.1.f,gdpr_IV_35.7.d,</group>
+  </rule>
+
   <rule id="518" level="9">
     <if_sid>514</if_sid>
     <match>Adware|Spyware</match>
@@ -199,7 +206,7 @@
   <rule id="553" level="7">
     <category>ossec</category>
     <decoded_as>syscheck_deleted</decoded_as>
-    <description>File deleted. Unable to retrieve checksum.</description>
+    <description>File deleted.</description>
     <group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
   </rule>
 
@@ -284,7 +291,7 @@
     <if_sid>553</if_sid>
     <hostname>syscheck-registry</hostname>
     <group>syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,</group>
-    <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+    <description>Registry Entry Deleted.</description>
   </rule>
 
   <rule id="598" level="5">