rule 60122 dont show up in security events on windows

[Mefisto Evil]

why rule 60122 trigger dont show up in security events? in security logs windows i can see this events but in wazuh - no . why?

[Aditya Sharma]

Hi Mefisto, Thanks for using Wazuh!

Rule 60122 is a specific rule that is part of a security monitoring solution, and it's possible that the reason why it's not showing up in your Wazuh logs is due to how the rule is configured in your environment.

There are several factors that could cause Rule 60122 to not trigger in Wazuh:

1. The rule is not enabled: It's possible that the rule is not enabled in Wazuh. Check your Wazuh configuration to ensure that the rule is enabled and active.
2. The rule is not configured correctly: It's also possible that the rule is not configured correctly in Wazuh. Make sure that the rule is configured with the correct parameters, such as the correct log file or event ID.
3. The log file is not being monitored: If Rule 60122 relies on a specific log file to trigger, it's possible that Wazuh is not configured to monitor that log file. Make sure that the log file is being monitored by Wazuh.
4. The event is not being generated: Finally, it's possible that the event that Rule 60122 is looking for is not being generated in your environment. Make sure that the event is occurring in your environment and that it's being logged by the appropriate system or application.

To troubleshoot why Rule 60122 is not triggering in Wazuh, you can try testing the rule in isolation to see if it works correctly. You can also review your Wazuh configuration and logs to see if there are any errors or issues that might be preventing the rule from triggering.

Regards
Aditya Sharma

[Mefisto Evil]

hello @ Aditya Sharma

this is the standard wazuh rule, not custom so this should work out of the box

1. rule enabled i didnt disable this by custom rules

2. it is the of of the box configuration and this seems ok for me maybe im wrong?

  <rule id="60122" level="5">
    <if_sid>60105</if_sid>
    <field name="win.system.eventID">^529$|^4625$</field>
    <options>no_full_log</options>
    <description>Logon failure - Unknown user or bad password.</description>
    <mitre>
      <id>T1078</id>
      <id>T1531</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

3. again this is standard wazuh rule and this also seems ok for me

4. event for sure generating on windows workstation i checked this many times

what do you mean by this " you can try testing the rule in isolation to see if it works correctly " new server?

for me seems no errors in this rule

четверг, 4 мая 2023 г. в 09:16:54 UTC+5, Aditya Sharma:

[Mefisto Evil]

i also noticed this error

" wazuh-agent: ERROR: Could not EvtSubscribe() for (System) which returned (15001)"
in agent side, what does this mean? does this related to my problem?

четверг, 4 мая 2023 г. в 09:56:38 UTC+5, Mefisto Evil: