Detect User on Device
515 views
Skip to first unread message
Henry Bateup
Nov 10, 2022, 2:51:36 AM11/10/22
to Wazuh mailing list
Is there a way to detect the user of a device with the Wazuh Agent running on it? If so, how can it be displayed on the agent dashboard?
Tomas Benitez Vescio
Nov 10, 2022, 8:01:48 AM11/10/22
to Wazuh mailing list
Hi,
Thanks for using Wazuh!
One way you could detect a user logging on a device with Wazuh Agent on it could be to create a rule that detects the login of a any or a partiuclar user you want and fires an alert if the conditions are met.
You can acomplish this by creating a new custom rule inside /var/ossec/etc/rules/local_rules.xml you can learn more about Wazuh ruleset, the sintax and how to create a custom rule on this documentation.
An example of rule that fires when an specific user logs in can be find here and is the following:
<rule id="140101" level="12">
<if_group>authentication_success</if_group>
<user negate="yes">wazuh|root</user>
<description>Unexpected user successfully logged to the system.</description>
</rule>
<if_group>authentication_success</if_group>
<user negate="yes">wazuh|root</user>
<description>Unexpected user successfully logged to the system.</description>
</rule>
This example rule will trigger an alert if a user different thant root or wazuh successfully login into the system. You should be able to see this and other alerts on your Wazuh Dashboard.
Regards.
Henry Bateup
Nov 10, 2022, 9:07:44 AM11/10/22
to Tomas Benitez Vescio, Wazuh mailing list
Hi Tomas,
I mean not a rule but like a last user which will be displayed in the agent dashboard like the device name is displayed.
Regards,
Henry Bateup
From: 'Tomas Benitez Vescio' via Wazuh mailing list <wa...@googlegroups.com>
Sent: Thursday, November 10, 2022 9:01:48 PM
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Detect User on Device
Sent: Thursday, November 10, 2022 9:01:48 PM
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Detect User on Device
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/xvvHj2VgOhQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4b0a63ed-80b5-48cd-9490-a0263bf608dan%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/xvvHj2VgOhQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4b0a63ed-80b5-48cd-9490-a0263bf608dan%40googlegroups.com.
Saddique Khan
Aug 30, 2023, 5:50:47 AM8/30/23
to Wazuh | Mailing List
Hello Tome,
I have created the rule to detect the root user login on the agent machine. it is passing the test when I test it from the backend using wazuh-logtest script. However, it is still throwing the alerts on my wazuh dashboard. it creates after each 30 minutes. any solution?
Reply all
Reply to author
Forward
0 new messages