Decoder query: Windows event id 4740 not parsing all the fields

466 views
Skip to first unread message

Sumesh MS

unread,
Apr 20, 2017, 1:15:00 AM4/20/17
to Wazuh mailing list


Hi all


I have started working with Wazuh 3 days back. I was monitoring my Windows Active Directory infrastructure with ELK stack and winlogbeats to parse the events. I found WAZUH integration with ELK has more potential and features than ELK alone. I was looking for an event with Id : 4740 (domain account locked out) to generate alerts. Unfortunately the WAZUH does not decode all the required fields.


Please see the screens below. From the log with 4740 the most useful fields like account name and caller computer name is not parsed with the decoder, while winlogbeat is extracting the fields well.


Any hints to extract the computer name and account name fields?


Thanks in advance










Jesus Linares

unread,
Apr 20, 2017, 3:53:39 AM4/20/17
to Wazuh mailing list
Hi,

thank you for your feedback. Right now, we have windows decoders to extract some fields, we need to improve them to add the computer name, account name and other useful fields.

Anyway, we are planning to implement an "automatic decoder" to extract every field automatically without use xml decoders.

Thanks.
Regards.

Sumesh MS

unread,
Apr 20, 2017, 4:14:24 AM4/20/17
to Wazuh mailing list
Hi Jesus

Appreciate your prompt response. I will continue using the rulesets and decoders from Github. 
How would I know about your new updates on this?

many thanks 

Sumesh MS

Jesus Linares

unread,
Apr 26, 2017, 5:52:45 AM4/26/17
to Wazuh mailing list
Hi Sumesh,

I recommend you to follow the wazuh-ruleset repository and check out the changelog.

Thanks.
Regards.

Sumesh MS

unread,
Apr 26, 2017, 6:07:37 AM4/26/17
to Jesus Linares, Wazuh mailing list
Thanks Jesus. Appreciated

Regards
Sumesh

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/db530d1b-e6cd-4f9a-bcc1-30ba23b2cd0a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jesus Linares

unread,
Jul 31, 2017, 12:26:55 PM7/31/17
to Wazuh mailing list, je...@wazuh.com
Hi,

we fixed the decoder issue, it will be released with Wazuh 2.1: https://github.com/wazuh/wazuh-ruleset/issues/52

Thanks.
Regards.

Sumesh MS

unread,
Jul 31, 2017, 1:42:25 PM7/31/17
to Jesus Linares, Wazuh mailing list
Hi Jesus

Thats a good news. I appreciate your follow-up and response. 
Good job. Keep going.

Many thanks 
Regards Sumesh 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a5d2adff-83f7-4eaa-93dd-50764be2efc6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages