I have a decoder that grabs the appropriate Account Name, but have come across another issue. Even if I am able to properly decoder "user", my ossec alert.log does not correlate that to "user" unless it's in the expected location in the WinEvtLog header.
Raw Log
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing:
(no user): no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name:
my_account Account Domain: MYDOMAIN
Decoder:
<decoder name="windows-verbose-auth">
<parent>windows</parent>
<regex offset="after_parent">Security ID:\s*\S*\s*Account Name:\s*(\S\S+)\s+Account Domain:\s*(\S*)</regex>
<order>user, extra_data</order>
</decoder>
ossec-logtest output:
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4725'
extra_data: 'Microsoft-Windows-Security-Auditing'
system_name: '
myhost.mydomain.com'
dstuser: 'my_account'Alert.log
** Alert **
time: 1448030023
hostname: (agent26) 0.0.0.0->WinEvtLog
location: (agent26) 0.0.0.0->WinEvtLog
rule_id: 18112
rule_rev: 1
rule_name: User account disabled or deleted.
rule_level: 8
lrec_object_tag: user
lrec_action_tag: authentication delete
lrec_status_tag: success
lrec_action: review
event_id: 4725
status: AUDIT_SUCCESS
data: Microsoft-Windows-Security-Auditing
systemname:
myhost.mydomain.comraw_log:
WinEvtLog: Security: AUDIT_SUCCESS(4725): Microsoft-Windows-Security-Auditing: (no user): no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name: my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332 Target Account: Security ID: S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account Account Domain: MYDOMAIN
As you can see, "user" in the alert.log doesn't populate. If I modify the log message and manually ingest it into OSSEC, it works.
New Raw Log:
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing:
my_account: no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name:
my_account Account Domain: MYDOMAIN
New Alert.log
** Alert **
time: 1448030023
hostname: (agent26) 0.0.0.0->WinEvtLog
location: (agent26) 0.0.0.0->WinEvtLog
rule_id: 18112
rule_rev: 1
rule_name: User account disabled or deleted.
rule_level: 8
lrec_object_tag: user
lrec_action_tag: authentication delete
lrec_status_tag: success
lrec_action: review
event_id: 4725
status: AUDIT_SUCCESS
data: Microsoft-Windows-Security-Auditing
user: my_accountsystemname:
myhost.mydomain.comraw_log:
WinEvtLog:
Security: AUDIT_SUCCESS(4725): Microsoft-Windows-Security-Auditing:
my_account: no domain:
myhost.mydomain.com: A user account was
disabled.
Subject: Security ID:
S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name:
my_account Account Domain: MYDOMAIN