Alerts for login post work hours
835 views
Skip to first unread message
Daniel D'Angeli
Apr 8, 2022, 5:42:20 AM4/8/22
to Wazuh mailing list
Hi,
im trying to create a rule to generate alerts for when someone makes a login on a Linux system post work hours.
Is there a way in the regex to determine wether the time of the login is after 18:00 and earlier than 09:00 (6pm and 9am)?
Regards,
Daniel D.
Daniel D'Angeli
Apr 8, 2022, 5:44:57 AM4/8/22
to Wazuh mailing list
found the following guide:
<rule id="17101" level="9">
<if_group>authentication_success</if_group>
<time>6 pm - 8:30 am</time>
<description>Successful login during non-business hours.</description>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
</rule>
Daniel D'Angeli
Apr 8, 2022, 6:23:11 AM4/8/22
to wa...@googlegroups.com
So i found out the rule is there by default in the 0215-policy rules file, but i know there has been multiple accesses post business hours but no alerts with rule id 17101 are registered in my cluster.
Do i need to manually activate this rule?
Regards,
Daniel D.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/k1UttSz-ZU8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd061b33-98c0-49a6-a830-1f4c18fa1fdfn%40googlegroups.com.
--
 |
Daniel D'Angeli Mail: daniel....@syncsecurity.it ROMA - MILANO - NAPOLI - PADOVA - VERONA |
Daniel D'Angeli
Apr 8, 2022, 6:43:32 AM4/8/22
to Wazuh mailing list
Found that in the ossec.conf of the Wazuh Server, by searching "policy" the 0215-policy rule files is being excluded.
Sandra Ocando
Apr 13, 2022, 4:29:02 AM4/13/22
to Daniel D'Angeli, Wazuh mailing list
Hello Daniel,
Rules 17101 "Successful login during non-business hours" and rule 17102 "Successful login during weekend" serve as examples of how to create time-dependent rules, but are excluded by default as they may not apply to every organization.
You may enable them by removing the <rule_exclude>0215-policy_rules.xml</rule_exclude> line from the Wazuh manager ossec.conf.
You can also modify them for your specific needs, please take into account that the time used for matching these rules is the system clock of the machine running the Wazuh manager, so if it is different from the agent's local time the rule must be adapted accordingly.
Best regards,
Sandra.
Rules 17101 "Successful login during non-business hours" and rule 17102 "Successful login during weekend" serve as examples of how to create time-dependent rules, but are excluded by default as they may not apply to every organization.
You may enable them by removing the <rule_exclude>0215-policy_rules.xml</rule_exclude> line from the Wazuh manager ossec.conf.
You can also modify them for your specific needs, please take into account that the time used for matching these rules is the system clock of the machine running the Wazuh manager, so if it is different from the agent's local time the rule must be adapted accordingly.
Best regards,
Sandra.
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/22e16d45-30c0-4cfc-99cb-3a4b986696edn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages