Hi ossec community,
I'm wonder if rule with ID 17101(policy_rules) could also be triggered for events derived from windows agents. I'm testing the following log with ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets triggered:
2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 87*** Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.
ossec-logtest:
**Phase 3: Completed filtering (rules).
Rule id: '18107'
Level: '3'
Description: 'Windows Logon Success.'
**Alert to be generated.
I've tried to add a local rule adapted to the windows group, like below but with no results:
<group name="local,windows,">
<rule id="100020" level="9">
<if_group>authentication_success</if_group>
<time>7 pm - 7:00 am</time>
<description>Successful login during non-business hours</description>
<group>login_time,</group>
<options>no_ar</options>
</rule>
</group>
I would be grateful for any help
Angel