Create 600000-active_response.xml

socfortress · Feb 22, 2024 · 8307aab · 8307aab
1 parent 6c0575e
commit 8307aab
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/Active_Response/600000-active_response.xml b/Active_Response/600000-active_response.xml
@@ -0,0 +1,9 @@
+<group name="active_response,">
+ <rule id="600000" level="10">
+    <decoded_as>json</decoded_as>
+    <field name="active_response">windows_firewall</field>
+    <description>Windows Firewall Active Response triggered.</description>
+    <group>socfortress,</group>
+    <options>no_full_log</options>
+  </rule>
+</group>