CDB List Capabilities
506 views
Skip to first unread message
serano...@gmail.com
Sep 4, 2022, 12:34:46 PM9/4/22
to Wazuh mailing list
Hi All.
I'm trying to better understand how CDB List works, i've created a list of windows users and create this rule to check if works:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<list field="user" lookup="match_key">etc/lists/test</list>
<description>TEST</description>
</rule>
<if_sid>200005</if_sid>
<list field="user" lookup="match_key">etc/lists/test</list>
<description>TEST</description>
</rule>
rule 200005 is triggered, but not 200011
but it not match, so i tried this:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key">etc/lists/test</list>
<description>TEST</description>
</rule>
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key">etc/lists/test</list>
<description>TEST</description>
</rule>
still not luky... i'm missing something?
Thanks and have a nice day.
Sebastian Falcone
Sep 4, 2022, 2:25:11 PM9/4/22
to Wazuh mailing list
Hi Stefano, hope you are doing great!
Lets take a look at this. Do you have an example of an event log that should trigger this rule?
Lets take a look at this. Do you have an example of an event log that should trigger this rule?
Sebastian Falcone
Sep 4, 2022, 5:36:25 PM9/4/22
to Wazuh mailing list
Stefano, sorry for the delay
I'am sorry if I confused you, I need the event channel log, you send me the one that is stored at /var/oseec/logs.
It should look like this:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}
Also if you are testing this logs via wazuh-logtest tool, you need to take this in consideration:
Currently, there's no way to directly test Windows EventChannel logs using
https://groups.google.com/u/1/g/wazuh/c/UWL-BZI5c64/m/USjhPMPPAAAJ
I'am sorry if I confused you, I need the event channel log, you send me the one that is stored at /var/oseec/logs.
It should look like this:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}
Also if you are testing this logs via wazuh-logtest tool, you need to take this in consideration:
Currently, there's no way to directly test Windows EventChannel logs using
https://groups.google.com/u/1/g/wazuh/c/UWL-BZI5c64/m/USjhPMPPAAAJ
Sebastian Falcone
Sep 4, 2022, 5:38:55 PM9/4/22
to Wazuh mailing list
Also, it will be helpful to have the /lists/test file. Thanks in advance for your patience!
Stefano Serano
Sep 5, 2022, 3:43:02 AM9/5/22
to Sebastian Falcone, Wazuh mailing list
Hi Sebastian, hope this is what you've asked for:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4672","version":"0","level":"0","task":"12548","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-09-05T07:30:14.322621700Z","eventRecordID":"706085","processID":"648","threadID":"9744","channel":"Security","computer":"SOC-DC01.soc-ngway.local","severityValue":"AUDIT_SUCCESS","message":"\"Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-598632658-3456686301-2170191157-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tNGWSOC\r\n\tLogon ID:\t\t0x1067B117\r\n\r\nPrivileges:\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeEnableDelegationPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\""},"eventdata":{"subjectUserSid":"S-1-5-21-598632658-3456686301-2170191157-500","subjectUserName":"administrator","subjectDomainName":"NGWSOC","subjectLogonId":"0x1067b117","privilegeList":"SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege"}}},"location":"EventChannel"}
cdb list:
administrator2:SOC-DC01
administrator:NGWTEST,NGWSOC
stefano:TEST2
ngwtest:NGWTEST
administrator:NGWTEST,NGWSOC
stefano:TEST2
ngwtest:NGWTEST
Thanks for your help, have a nice day.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/1OpAe-NB84U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/48970faa-4374-41b8-af75-53569f9f5834n%40googlegroups.com.
Stefano Serano
Sep 5, 2022, 3:43:54 AM9/5/22
to Sebastian Falcone, Wazuh mailing list
ABout your last question, i'm not using wazuh tools, i just checking logs in alerts and archive .josn files.
Sebastian Falcone
Sep 5, 2022, 6:42:45 AM9/5/22
to Wazuh mailing list
Absolutely I will start working on this one
You too, have a nice day
You too, have a nice day
Sebastian Falcone
Sep 5, 2022, 8:11:28 AM9/5/22
to Wazuh mailing list
I will detaill all the steps I made (following the [documentation](https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html)):
- Add the list to ossec.conf (located at /var/ossec/etc/:
<ossec_config>
<ruleset>
<list>etc/lists/YOUR_LIST</list>
- Restart the manager
- I've changed a bit the list (following [this example](https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html#cdb-lists-examples) ).
RULE:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key">etc/lists/list</list>
<description>TEST</description>
</rule>
LIST:
administrator2:
administrator:
stefano:
ngwtest:
-if you want to segregate in multiple user types you will need to create multiple rules and have a different files
- Add the list to ossec.conf (located at /var/ossec/etc/:
<ossec_config>
<ruleset>
<list>etc/lists/YOUR_LIST</list>
- Restart the manager
- I've changed a bit the list (following [this example](https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html#cdb-lists-examples) ).
RULE:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<description>TEST</description>
</rule>
LIST:
administrator2:
administrator:
stefano:
ngwtest:
-if you want to segregate in multiple user types you will need to create multiple rules and have a different files
Sebastian Falcone
Sep 5, 2022, 8:20:13 AM9/5/22
to Wazuh mailing list
I have another alternative to segregate in user types:
RULES:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value="admin">etc/lists/list</list>
<description>ADMIN TEST</description>
</rule>
<rule id="200012" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value="user">etc/lists/list</list>
<description>USER TEST</description>
</rule>
LIST:
administrator:admin
stefano:admin
justAcommonGuy:user
sebas:user
RULES:
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<description>ADMIN TEST</description>
</rule>
<rule id="200012" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value="user">etc/lists/list</list>
<description>USER TEST</description>
</rule>
LIST:
administrator:admin
stefano:admin
justAcommonGuy:user
sebas:user
Stefano Serano
Sep 5, 2022, 8:39:25 AM9/5/22
to Sebastian Falcone, Wazuh mailing list
Hi Sebastian.
Thanks for your help, i'll check later.
In the meantime i've another question for you:
I would like to use CDB list to check Admin user access to specific machines, the list could be something like this:
administrato:srv1,srv2
stefano:srv1
sebas:cli1,cli3
Is possible to use the field: "win.evendata.system.computer" into the option: check_value? like this:
<rule id="200012" level="6">
<if_sid>200005</if_sid>
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value="
win.evendata.system.computer ">etc/lists/list</list>
<description>USER TEST</description>
</rule>
that could be really helpfull for me to detect user accessing machines without authorization without creating anytime a new rule.
Let me know, and thanks again for your help.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8f16a018-2047-4445-a2b6-c454d2f26bb2n%40googlegroups.com.
Sebastian Falcone
Sep 5, 2022, 9:17:16 AM9/5/22
to Wazuh mailing list
Remember that the list follows this schema -> key:value
The machines you want to monitor have their own agent?
- In that case the rules we came up with are good enough because the agent will only detect local events (unless you add another source of events such as syslog or remote monitoring).
The machines you want to monitor have their own agent?
- In that case the rules we came up with are good enough because the agent will only detect local events (unless you add another source of events such as syslog or remote monitoring).
Sebastian Falcone
Sep 6, 2022, 7:24:22 AM9/6/22
to Wazuh mailing list
Hi Stefano,
Good, we are making progress. Don't feel bad, I work every day with this and miss my things all the time!
The "check_value" parameter is related to the list file. So your rule translates to:
<rule id="200012" level="6">
<if_sid>200005</if_sid>
Good, we are making progress. Don't feel bad, I work every day with this and miss my things all the time!
The "check_value" parameter is related to the list file. So your rule translates to:
<rule id="200012" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value=" win.evendata.system.computer ">etc/lists/list</list>
<description>USER TEST</description>
</rule>
</rule>
If the rule 200005 was triggered, then see the field "win.eventdata.subjectUserName" and check if the value matches with the key of "win.evendata.system.computer", located in the list file. The check the value retrieved on the log vs the one on the list.
Tell me again what you want to achieve,
have a nice day
Tell me again what you want to achieve,
have a nice day
Sebastian Falcone
Sep 7, 2022, 7:39:58 AM9/7/22
to Wazuh mailing list
Hi Stefano
Please remember that the format allowed on the lists is key:value.
An example of a valid list could be:
administrator:server1
administrator:server2
administrator1:server1
Also you are trying to match the field "data.win.system.computer", but check the json log there is no "data" field, change it to "win.system.computer"
___________
<description>TEST</description>
</rule>
This rule won't match because the list file is bad formated
Also, please use the reply all button located at google groups. In this way your messages are saved on this chat
Please remember that the format allowed on the lists is key:value.
An example of a valid list could be:
administrator:server1
administrator:server2
administrator1:server1
Also you are trying to match the field "data.win.system.computer", but check the json log there is no "data" field, change it to "win.system.computer"
___________
<rule id="200011" level="6">
<if_sid>200005</if_sid>
<list field="win.eventdata.subjectUserName" lookup="match_key_value" check_value="server1 ">etc/lists/list</list><if_sid>200005</if_sid>
<description>TEST</description>
</rule>
This rule won't match because the list file is bad formated
Also, please use the reply all button located at google groups. In this way your messages are saved on this chat
Stefano Serano
Sep 8, 2022, 6:47:05 AM9/8/22
to Sebastian Falcone, Wazuh mailing list
Hi Sebastian
k all works fine now, but i could not create a list like this:
administrator:server1
administrator:server2
administrator1:server1
administrator:server2
administrator1:server1
Because Kibana tell me that key need to be unique, so i could not add two time: "administrator", so i could check just one machine for one user.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/29b75e5d-4770-4938-8208-1bd7d245bc36n%40googlegroups.com.
Sebastian Falcone
Sep 8, 2022, 7:39:35 AM9/8/22
to Wazuh mailing list
Hi!
You could do it the other way around:
server1:administrator
server2:administrator
server1:administrator1
In this way the rule search for example every administrator value and checks against every key.
You could do it the other way around:
server1:administrator
server2:administrator
server1:administrator1
In this way the rule search for example every administrator value and checks against every key.
Reply all
Reply to author
Forward
0 new messages