corelation event

262 views
Skip to first unread message

German DiCasas

unread,
Mar 19, 2024, 7:19:43 PMMar 19
to Wazuh | Mailing List
Hi team,

I have been reading a lot about correlation but without success over this case. So, I hope you give me a hand.

I need to create a rule that determines when an active directory user activates the property  "user must change password at next login" checkbox, saves the changes and does the same thing again but now disables the same option. I have created the first rule in which it detects when it is activated but the second one is not working for me.

<rule id="100300" level="10">
        <if_sid>60110</if_sid>
        <field name="win.eventdata.passwordLastSet">%%1794</field>
        <description>user activate the option, user  $(win.eventdata.targetUserName)</description>
     </rule>

The the second rule is this but do not work since frecuency need to be 2 or more. 

<rule id="100301" level="11" frequency="1" timeframe="60">
        <if_matched_sid>100300</if_matched_sid>
        <same_field>win.eventdata.targetUserName</same_field>
        <description>The user uncheck the option, user  $(win.eventdata.targetUserName)</description>
     </rule>    -->  

The eventid is the same 4738 but at the moment that check the box the value of 

data.win.eventdata.passwordLastSet is %%1794
When unckeck the value is the date like 19/03/2024 20:08:42
By performing this check and uncheck, the user who manages the AD user account allows the user to have the same password if it was blocked after a period of time without change.

Thanks


German DiCasas

unread,
Mar 21, 2024, 1:46:22 PMMar 21
to Wazuh | Mailing List
Hi team,

Any idea to do that? thaks

German DiCasas

unread,
Mar 25, 2024, 1:53:40 PMMar 25
to Wazuh | Mailing List
Hi... 

German DiCasas

unread,
Mar 25, 2024, 3:26:33 PMMar 25
to Wazuh | Mailing List
Hi,

Someone with similar issue ?

Mario Andres Ruiz Hernandez

unread,
Mar 26, 2024, 7:06:32 AMMar 26
to Wazuh | Mailing List
Please check the frecuency allowed 

frequency: Allowed values / Any number from 2 to 9999

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule

German DiCasas

unread,
Mar 27, 2024, 8:28:39 AMMar 27
to Mario Andres Ruiz Hernandez, Wazuh | Mailing List
Hi Mario,

Maybe it was not clear in the consultation. That information is what I indicated in the first email and that is why it is the query. I read that document again that he sent me but I still can't find a solution to what I consulted.

The problem is how to make what I need to do work. That is, there are two consecutive events with the same id but they differ in a variable data.win.eventdata.passwordLastSet. I need to identify that sequence, that pattern, if those same events happen in a range of 5 minutes with eventid 4738 and the same user, then if so I need an alert. In the first event 4738 it has the field data.win.eventdata.passwordLastSet=%%1794 and in the second event the field data.win.eventdata.passwordLastSet=dd/mm/yyyy

Do you know how can I do that? thank Mario for the reply



--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/AoUMaxEWSp4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15cd8dc0-65b7-4b85-aea1-420ee0e1126cn%40googlegroups.com.

German DiCasas

unread,
Apr 9, 2024, 3:58:04 PMApr 9
to Wazuh | Mailing List
any update or idea over this?
Message has been deleted

Mario Andres Ruiz Hernandez

unread,
Apr 17, 2024, 10:14:37 AMApr 17
to Wazuh | Mailing List
Hi German,

I'm doing some research on this with Wazuh's team. Please stay tuned.

German DiCasas

unread,
Apr 19, 2024, 1:47:57 PMApr 19
to Wazuh | Mailing List
Mario Andres, 

Thanks for the reply. Also let me know any fix to this particular issue.

Regards

Mario Andres Ruiz Hernandez

unread,
Apr 22, 2024, 10:57:48 AMApr 22
to Wazuh | Mailing List

German DiCasas

unread,
Apr 22, 2024, 1:32:52 PMApr 22
to Wazuh | Mailing List
It is the problem that I indicated to you from the beginning. same-field I can use it only when if_sid_matched and if_group_matched are present. And I can't use the latter because they require a minimum of 2.

They are two separate events. the first enters with field name="win.eventdata.passwordLastSet">%%1794</field> and the second with a date. How can I define that order that first the value is %%1794 and then it will be a link date 03/19/2024 20:08:42? Can be done that logic over wazuh rules?

Mario Andres Ruiz Hernandez

unread,
Apr 26, 2024, 12:30:16 PMApr 26
to Wazuh | Mailing List
Yes, wazuh can handle that kind of logic, but there is some work on the logic. Instead of using

<field name="win.eventdata.passwordLastSet">%%1794</field>
you should use something like this:

<field name="win.eventdata.passwordLastSet">%%1794|dateXYZ</field> 

you can take a look at this too https://www.reddit.com/r/Wazuh/comments/11xn1yf/how_to_write_a_rule_for_fields_comparison/

German DiCasas

unread,
Apr 29, 2024, 3:47:39 PMApr 29
to Wazuh | Mailing List
Yes,  but need to be first    %%1794  and then  dateXYZ. The pipe is a OR.  Or I miss something? 
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Jorge Eduardo Molas

unread,
May 7, 2024, 7:44:31 AMMay 7
to Wazuh | Mailing List

Hello German.

I'm handling your case because Mario is currently on leave.

Reading the thread, I think I understand what he wants to achieve. The problem I infer is that first, you are trying to have the rule filter by an event value and the second rule (correlative rule) when the first rule is repeated more than x times to capture the username.

But, I think you will never get the desired result, because you are already filtering events and generating alerts with win.eventdata.passwordLastSet: '%%1794'. Consequently, if the correlative rule triggers an alert, it will be with this passwordLastSet value, which is not the desired one.

I guess, you should look for another filtering route for the first rule that allows you to filter this event and generate the alert and then it repeats x times, there you filter by the event win.eventdata.passwordLastSet: YYYY-mm-dd.If you have multiple examples of this eventId, we could check a field that can be configured so that the first alert is generated.

In conclusion, the first filter in rule one blocks your attempt at rule two (correlated), as it corresponds to the same event id but with different values of the same key.

German DiCasas

unread,
May 10, 2024, 2:23:32 PMMay 10
to Wazuh | Mailing List
thanks or the reply... undertand.

Tell me if it is possible to create a rule that takes information from two decoders and compares them? That is, I have decoder A with its rule 1A and decoder B with its rule 1B. I would like a 1c rule that has an if_sid_match of 1A and an if_sid_match of 1B, and then compares a port field but in decoder A it is src_port_decodera and in decoder B it is scrportdecoder_b.

That is, creating a rule to compare two variables from two different decoders, is it possible?

Regards

Jorge Eduardo Molas

unread,
May 13, 2024, 10:31:52 AMMay 13
to Wazuh | Mailing List
Hi German!
You could check this link, here it explains how to use sibling decoders and comparisons between the fields.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/sibling-decoders.html

German DiCasas

unread,
May 16, 2024, 6:07:37 PMMay 16
to Wazuh | Mailing List
Jorge,

I have two different decoders. Let's say it's a Fortinet decoder and another Cisco ftd decoder. I want to compare in a rule variables that the fortinet decoder has against variables of the cisco decoder.

I mean they are two completely different decoders and I don't see how to use sibling on this matter. The log that reaches each decoder is different.

Reply all
Reply to author
Forward
0 new messages