How do I ingest security events from windows event log provider?
1,599 views
Skip to first unread message
c3rberus
Oct 9, 2023, 9:33:13 PM10/9/23
to Wazuh | Mailing List
Hello,
I am using Wazuh 4.5.2 and I am trying to ingest specific Windows event logs so that I may be able to search them in Wazuh.
In my agent.conf file I have the event channel configured.
<agent_config>
<!-- Shared agent configuration here -->
<!-- Microsoft Entra Password Protection -->
<localfile>
<location>Microsoft-AzureADPasswordProtection-DCAgent/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-AzureADPasswordProtection-DCAgent/Admin</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
<!-- Shared agent configuration here -->
<!-- Microsoft Entra Password Protection -->
<localfile>
<location>Microsoft-AzureADPasswordProtection-DCAgent/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-AzureADPasswordProtection-DCAgent/Admin</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
The event log I want to capture is below (XML output from Event Viewer).
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-AzureADPasswordProtection-DCAgent" Guid="{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}" />
<EventID>10016</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-10-10T01:17:03.9788413Z" />
<EventRecordID>18091</EventRecordID>
<Correlation ActivityID="{ee810882-acca-4f9b-b054-a267eb480f7f}" />
<Execution ProcessID="840" ThreadID="2808" />
<Channel>Microsoft-AzureADPasswordProtection-DCAgent/Admin</Channel>
<Computer>XXXXX</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Data1">spare</Data>
<Data Name="Data2">Spare Account</Data>
</EventData>
</Event>
- <System>
<Provider Name="Microsoft-AzureADPasswordProtection-DCAgent" Guid="{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}" />
<EventID>10016</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-10-10T01:17:03.9788413Z" />
<EventRecordID>18091</EventRecordID>
<Correlation ActivityID="{ee810882-acca-4f9b-b054-a267eb480f7f}" />
<Execution ProcessID="840" ThreadID="2808" />
<Channel>Microsoft-AzureADPasswordProtection-DCAgent/Admin</Channel>
<Computer>XXXXX</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Data1">spare</Data>
<Data Name="Data2">Spare Account</Data>
</EventData>
</Event>
I can confirm the log is seen by Wazuh archive.log when I set <logall>yes</logall>, however I don't see it in security events.
2023 Oct 05 07:52:09 (XXX-DC02) any->EventChannel {"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-05T14:52:09.1876361Z","eventRecordID":"17526","processID":"3036","threadID":"6916","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"XXXXX","severityValue":"INFORMATION","message":"\"The changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare Account"}}}
I tried all sort of configuration variations inside local_rules.xml and local_decoder.xml that in the end I got desparate and was capturing anything with the keyword AzureADPasswordProtection.
<group name="windows,">
<rule id="100002" level="5">
<regex type="pcre2">(?i)(.*)(AzureADPasswordProtection)(.*)</regex>
<description>AzureADPasswordProtection</description>
<options>no_full_log</options>
</rule>
</group>
<decoder name="allow_all">
<prematch>\.</prematch>
</decoder>
<decoder name="AzureADPasswordProtection">
<parent>allow_all</parent>
<regex type="pcre2">(?i)(.*)(AzureADPasswordProtection)(.*)</regex>
<order>data,action,extra_data</order>
</decoder>
<rule id="100002" level="5">
<regex type="pcre2">(?i)(.*)(AzureADPasswordProtection)(.*)</regex>
<description>AzureADPasswordProtection</description>
<options>no_full_log</options>
</rule>
</group>
<decoder name="allow_all">
<prematch>\.</prematch>
</decoder>
<decoder name="AzureADPasswordProtection">
<parent>allow_all</parent>
<regex type="pcre2">(?i)(.*)(AzureADPasswordProtection)(.*)</regex>
<order>data,action,extra_data</order>
</decoder>
None of this seems to work, Wazuh does not ingest data from the new event channel.
Here is the output of the ruleset test.
**Messages:
WARNING: (7003): '4a931f81' token expires
INFO: (7202): Session initialized with token 'f6a17743'
**Phase 1: Completed pre-decoding.
timestamp: '2023 Oct 05 07:52:09'
**Phase 2: Completed decoding.
name: 'allow_all'
action: 'AzureADPasswordProtection'
data: 'any->EventChannel {"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-05T14:52:09.1876361Z","eventRecordID":"17526","processID":"3036","threadID":"6916","channel":"Microsoft-'
extra_data: '-DCAgent/Admin","computer":"XXXXX","severityValue":"INFORMATION","message":"\"The changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare Account"}}}'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '5'
description: 'AzureADPasswordProtection'
groups: '["windows"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
WARNING: (7003): '4a931f81' token expires
INFO: (7202): Session initialized with token 'f6a17743'
**Phase 1: Completed pre-decoding.
timestamp: '2023 Oct 05 07:52:09'
**Phase 2: Completed decoding.
name: 'allow_all'
action: 'AzureADPasswordProtection'
data: 'any->EventChannel {"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-05T14:52:09.1876361Z","eventRecordID":"17526","processID":"3036","threadID":"6916","channel":"Microsoft-'
extra_data: '-DCAgent/Admin","computer":"XXXXX","severityValue":"INFORMATION","message":"\"The changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare Account"}}}'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '5'
description: 'AzureADPasswordProtection'
groups: '["windows"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
Can someone point me to the right direction? What am I doing wrong?
ashraf abbas
Oct 10, 2023, 6:26:38 AM10/10/23
to Wazuh | Mailing List
Hello Mirza,
If you can see Windows event logs in the Wazuh archive.log but not in the specific Wazuh security events, it's possible that the log data is not being processed by Wazuh's decoders and rules for the Security event channel. To resolve this issue and ensure that you see Windows Security event logs in the appropriate Wazuh security events, you can follow these steps:
Confirm Log Format:
Ensure that the Windows event logs you want to monitor are indeed in the expected format (e.g., XML or JSON) and that the format matches what is specified in your Wazuh configuration.
Verify Decoder Configuration:
Check your Wazuh agent's configuration file (ossec.conf) on the Windows machine and verify that the correct decoder is specified for the Windows Security event log. You should use the <decoder> directive to specify the appropriate decoder for your log format.
Example configuration for using the Windows event log decoder:
Also, monitor the alerts generated by Wazuh in the Wazuh manager's interface. If the logs are correctly parsed and processed, you should see alerts related to the Windows Security events.
Test and Troubleshoot:
If you're still not seeing the expected Windows Security event logs in Wazuh security events, consider generating test events and examining the logs and alerts to identify any issues or discrepancies in the configuration.
If you can see Windows event logs in the Wazuh archive.log but not in the specific Wazuh security events, it's possible that the log data is not being processed by Wazuh's decoders and rules for the Security event channel. To resolve this issue and ensure that you see Windows Security event logs in the appropriate Wazuh security events, you can follow these steps:
Confirm Log Format:
Ensure that the Windows event logs you want to monitor are indeed in the expected format (e.g., XML or JSON) and that the format matches what is specified in your Wazuh configuration.
Verify Decoder Configuration:
Check your Wazuh agent's configuration file (ossec.conf) on the Windows machine and verify that the correct decoder is specified for the Windows Security event log. You should use the <decoder> directive to specify the appropriate decoder for your log format.
Example configuration for using the Windows event log decoder:
<group name="windows">
<localfile>
<log_format>json</log_format>
<location>C:\Windows\System32\winevt\Logs\Security.evtx</location>
<decoder>windows</decoder>
</localfile>
</group>
<localfile>
<log_format>json</log_format>
<location>C:\Windows\System32\winevt\Logs\Security.evtx</location>
<decoder>windows</decoder>
</localfile>
</group>
Ensure Decoders Are Available:
Check that the appropriate decoders are available in your Wazuh manager's configuration (/var/ossec/etc/decoders). Wazuh provides a default Windows eventlog decoder (windows_decoder.xml) for parsing Windows event logs. Ensure that this decoder is present and correctly configured.
Try restart the Wazuh agent service on the Windows machine to apply the changes.
Check that the appropriate decoders are available in your Wazuh manager's configuration (/var/ossec/etc/decoders). Wazuh provides a default Windows eventlog decoder (windows_decoder.xml) for parsing Windows event logs. Ensure that this decoder is present and correctly configured.
Try restart the Wazuh agent service on the Windows machine to apply the changes.
Also, monitor the alerts generated by Wazuh in the Wazuh manager's interface. If the logs are correctly parsed and processed, you should see alerts related to the Windows Security events.
Test and Troubleshoot:
If you're still not seeing the expected Windows Security event logs in Wazuh security events, consider generating test events and examining the logs and alerts to identify any issues or discrepancies in the configuration.
Kindly reach out if you are still experiencing this challenges.
Regards
Regards
Ashraf.
Harshal Paliwal
Oct 10, 2023, 10:50:25 PM10/10/23
to Wazuh | Mailing List
Hi Team,
Thanks for using the Wazuh.There is no need to create a custom decoder. The event logs in JSON format and it will decoder with default JSON decoder.
Your actual log starts from {"win":{"system":{"providerName not from the 2023 Oct 05 07:52:09 (XXX-DC02) any->EventChannel {"win":{"system":{"providerName So you need to test the log from the actual log.I have created the sample rule for you below. You can take references and change them according to your needs.
Thanks for using the Wazuh.There is no need to create a custom decoder. The event logs in JSON format and it will decoder with default JSON decoder.
Your actual log starts from {"win":{"system":{"providerName not from the 2023 Oct 05 07:52:09 (XXX-DC02) any->EventChannel {"win":{"system":{"providerName So you need to test the log from the actual log.I have created the sample rule for you below. You can take references and change them according to your needs.
Reference:
Decoders Syntax - Ruleset XML syntax · Wazuh documentation
Creating decoders and rules from scratch | WazuhHope this information helps you. Please feel free to reach out to us for any information/issues.
Decoders Syntax - Ruleset XML syntax · Wazuh documentation
Creating decoders and rules from scratch | WazuhHope this information helps you. Please feel free to reach out to us for any information/issues.
Mirza Dedic
Oct 11, 2023, 12:37:12 AM10/11/23
to Wazuh | Mailing List, Harshal Paliwal
I used your sample rule and it shows up in phase 3, however I can't seem to search these events, they are not appearing in
Wazuh > Modules > Security Events > Events when I search for them.
Any ideas why?
Here is how they appear in /var/ossec/logs/archives/archives.log
{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T04:24:18.8688596Z","eventRecordID":"17812","processID":"3036","threadID":"5720","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"XXXXX","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}}
{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"10016","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T04:24:18.8688864Z","eventRecordID":"17813","processID":"840","threadID":"2844","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"XXXXX","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}}
Here is the output of the rule test.
**Messages:
WARNING: (7003): '9c420834' token expires
INFO: (7202): Session initialized with token '147ddfcc'
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T04:24:18.8688596Z","eventRecordID":"17812","processID":"3036","threadID":"5720","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"VAN-DC02.vand1.oppy.com","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.data1: 'spare'
win.eventdata.data2: 'Spare Account'
win.system.channel: 'Microsoft-AzureADPasswordProtection-DCAgent/Admin'
win.system.computer: 'XXXXX'
win.system.eventID: '30002'
win.system.eventRecordID: '17812'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"The changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant
banned password list of the current Azure password policy.
UserName: spare
FullName: Spare Account
"'
win.system.opcode: '0'
win.system.processID: '3036'
win.system.providerGuid: '{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}'
win.system.providerName: 'Microsoft-AzureADPasswordProtection-DCAgent'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-10-11T04:24:18.8688596Z'
win.system.task: '0'
win.system.threadID: '5720'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '12'
description: 'This log from the Microsoft-AzureADPasswordProtection-DCAgent/Admin'
groups: '["windows"," event logs"]'
firedtimes: '1'
mail: 'true'
**Alert to be generated.
From: 'Harshal Paliwal' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: October 10, 2023 7:50 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: How do I ingest security events from windows event log provider?
Sent: October 10, 2023 7:50 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: How do I ingest security events from windows event log provider?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/23HNIqwa-q4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24e16e4d-d04e-40cb-9bd2-b91d02ec1eaan%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/23HNIqwa-q4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24e16e4d-d04e-40cb-9bd2-b91d02ec1eaan%40googlegroups.com.
Harshal Paliwal
Oct 11, 2023, 12:45:18 AM10/11/23
to Wazuh | Mailing List
Hi,
After adding the rule have you restarted your Wazuh-manager? If not please restart your Wazuh-manager.
If you are not getting an alert please check archives.json for this event and share the output from there.
Regards,
Mirza Dedic
Oct 11, 2023, 11:30:12 AM10/11/23
to Wazuh | Mailing List, Harshal Paliwal
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Yes I have restarted wazuh-manager, here is the output of archives.json for this event.
{"timestamp":"2023-10-11T08:25:21.234-0700","agent":{"id":"003","name":"xxxxx","ip":"172.16.x.x"},"manager":{"name":"xxxxx"},"id":"1697037921.1389176236","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-AzureADPasswordProtection-DCAgent\",\"providerGuid\":\"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}\",\"eventID\":\"30002\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-10-11T15:25:20.0619094Z\",\"eventRecordID\":\"18176\",\"processID\":\"3028\",\"threadID\":\"3984\",\"channel\":\"Microsoft-AzureADPasswordProtection-DCAgent/Admin\",\"computer\":\"xxxxx.xxxx.xxxxx.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"The
changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\\r\\n \\r\\n UserName: spare\\r\\n FullName: Spare Account\\r\\n\\\"\"},\"eventdata\":{\"data1\":\"spare\",\"data2\":\"Spare
Account\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"30002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T15:25:20.0619094Z","eventRecordID":"18176","processID":"3028","threadID":"3984","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"xxxxx.xxxx.xxxxx.com","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}},"location":"EventChannel"}
{"timestamp":"2023-10-11T08:25:21.235-0700","agent":{"id":"003","name":"xxxxx","ip":"172.16.x.x"},"manager":{"name":"xxxxx"},"id":"1697037921.1389176236","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-AzureADPasswordProtection-DCAgent\",\"providerGuid\":\"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}\",\"eventID\":\"10016\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-10-11T15:25:20.0619990Z\",\"eventRecordID\":\"18177\",\"processID\":\"840\",\"threadID\":\"1128\",\"channel\":\"Microsoft-AzureADPasswordProtection-DCAgent/Admin\",\"computer\":\"xxxxx.xxxx.xxxxx.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"The changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\\r\\n \\r\\n UserName: spare\\r\\n FullName: Spare Account\\r\\n\\\"\"},\"eventdata\":{\"data1\":\"spare\",\"data2\":\"Spare Account\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"10016","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T15:25:20.0619990Z","eventRecordID":"18177","processID":"840","threadID":"1128","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"xxxxx.xxxx.xxxxx.com","severityValue":"INFORMATION","message":"\"The changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare Account"}}},"location":"EventChannel"}
When I use the JSON output to run through ruleset test, I don't see phase 3, maybe that is the reason?
**Messages:
INFO: (7202): Session
initialized with token '9fab2580'
**Phase
1: Completed
pre-decoding.
full event: '{"timestamp":"2023-10-11T08:25:21.235-0700","agent":{"id":"003","name":"xxxxx","ip":"172.16.x.x"},"manager":{"name":"xxxxx"},"id":"1697037921.1389176236","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-AzureADPasswordProtection-DCAgent\",\"providerGuid\":\"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}\",\"eventID\":\"10016\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-10-11T15:25:20.0619990Z\",\"eventRecordID\":\"18177\",\"processID\":\"840\",\"threadID\":\"1128\",\"channel\":\"Microsoft-AzureADPasswordProtection-DCAgent/Admin\",\"computer\":\"xxxxx.xxxx.xxxxx.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"The
changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\\r\\n \\r\\n UserName: spare\\r\\n FullName: Spare Account\\r\\n\\\"\"},\"eventdata\":{\"data1\":\"spare\",\"data2\":\"Spare
Account\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"10016","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T15:25:20.0619990Z","eventRecordID":"18177","processID":"840","threadID":"1128","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"xxxxx.xxxx.xxxxx.com","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}},"location":"EventChannel"}'
**Phase
2: Completed
decoding.
name: 'json'
agent.ip: '172.16.x.x'
agent.name: 'xxxxx'
data.win.eventdata.data1: 'spare'
data.win.eventdata.data2: 'Spare Account'
data.win.system.channel: 'Microsoft-AzureADPasswordProtection-DCAgent/Admin'
data.win.system.computer: 'xxxxx.xxxx.xxxxx.com'
data.win.system.eventID: '10016'
data.win.system.eventRecordID: '18177'
data.win.system.keywords: '0x8000000000000000'
data.win.system.level: '4'
data.win.system.message: '"The changed password for the specified user was rejected because it
did not comply with the current Azure password policy. Please see the correlated event log message for more details.
UserName: spare
FullName: Spare Account
"'
data.win.system.opcode: '0'
data.win.system.processID: '840'
data.win.system.providerGuid: '{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}'
data.win.system.providerName: 'Microsoft-AzureADPasswordProtection-DCAgent'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2023-10-11T15:25:20.0619990Z'
data.win.system.task: '0'
data.win.system.threadID: '1128'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-AzureADPasswordProtection-DCAgent","providerGuid":"{fce041b2-eacd-48a2-8e09-4d5d43c0ff69}","eventID":"10016","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-10-11T15:25:20.0619990Z","eventRecordID":"18177","processID":"840","threadID":"1128","channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","computer":"xxxxx.xxxx.xxxxx.com","severityValue":"INFORMATION","message":"\"The
changed password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.\r\n \r\n UserName: spare\r\n FullName: Spare Account\r\n\""},"eventdata":{"data1":"spare","data2":"Spare
Account"}}}'
id: '1697037921.1389176236'
location: 'EventChannel'
manager.name: 'xxxxx'
timestamp: '2023-10-11T08:25:21.235-0700'
From: 'Harshal Paliwal' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: October 10, 2023 9:45 PM
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/805a6312-aae7-4105-8715-6a3466005431n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages