corelation event

[German DiCasas]

Hi team,

I have been reading a lot about correlation but without success over this case. So, I hope you give me a hand.

I need to create a rule that determines when an active directory user activates the property  "user must change password at next login" checkbox, saves the changes and does the same thing again but now disables the same option. I have created the first rule in which it detects when it is activated but the second one is not working for me.

<rule id="100300" level="10">
        <if_sid>60110</if_sid>
        <field name="win.eventdata.passwordLastSet">%%1794</field>
        <description>user activate the option, user  $(win.eventdata.targetUserName)</description>
     </rule>

The the second rule is this but do not work since frecuency need to be 2 or more. 

<rule id="100301" level="11" frequency="1" timeframe="60">
        <if_matched_sid>100300</if_matched_sid>
        <same_field>win.eventdata.targetUserName</same_field>
        <description>The user uncheck the option, user  $(win.eventdata.targetUserName)</description>
     </rule>    -->  

The eventid is the same 4738 but at the moment that check the box the value of 

data.win.eventdata.passwordLastSet is %%1794
When unckeck the value is the date like 19/03/2024 20:08:42
By performing this check and uncheck, the user who manages the AD user account allows the user to have the same password if it was blocked after a period of time without change.

Thanks

[German DiCasas]

Hi team,

Any idea to do that? thaks

[German DiCasas]

Hi... 

[German DiCasas]

Hi,

Someone with similar issue ?

[Mario Andres Ruiz Hernandez]

Please check the frecuency allowed 

frequency: Allowed values / Any number from 2 to 9999

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule

[German DiCasas]

Hi Mario,

Maybe it was not clear in the consultation. That information is what I indicated in the first email and that is why it is the query. I read that document again that he sent me but I still can't find a solution to what I consulted.

The problem is how to make what I need to do work. That is, there are two consecutive events with the same id but they differ in a variable data.win.eventdata.passwordLastSet. I need to identify that sequence, that pattern, if those same events happen in a range of 5 minutes with eventid 4738 and the same user, then if so I need an alert. In the first event 4738 it has the field data.win.eventdata.passwordLastSet=%%1794 and in the second event the field data.win.eventdata.passwordLastSet=dd/mm/yyyy

Do you know how can I do that? thank Mario for the reply

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/AoUMaxEWSp4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15cd8dc0-65b7-4b85-aea1-420ee0e1126cn%40googlegroups.com.

[German DiCasas]

any update or idea over this?

[Mario Andres Ruiz Hernandez]

Hi German,

I'm doing some research on this with Wazuh's team. Please stay tuned.

[German DiCasas]

Mario Andres, 

Thanks for the reply. Also let me know any fix to this particular issue.

Regards

[Mario Andres Ruiz Hernandez]

Hi German,

There are some rules you can use for this endeavor:

if-matched-sid: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
if-matched-group: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-group
same-field: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field

This is a bit old but explains other rules related to correlation events: https://groups.google.com/g/wazuh/c/t9P9CNs5T9M

[German DiCasas]

It is the problem that I indicated to you from the beginning. same-field I can use it only when if_sid_matched and if_group_matched are present. And I can't use the latter because they require a minimum of 2.

They are two separate events. the first enters with field name="win.eventdata.passwordLastSet">%%1794</field> and the second with a date. How can I define that order that first the value is %%1794 and then it will be a link date 03/19/2024 20:08:42? Can be done that logic over wazuh rules?

[Mario Andres Ruiz Hernandez]

Yes, wazuh can handle that kind of logic, but there is some work on the logic. Instead of using

<field name="win.eventdata.passwordLastSet">%%1794</field>

you should use something like this:

<field name="win.eventdata.passwordLastSet">%%1794|dateXYZ</field> 

you can take a look at this too https://www.reddit.com/r/Wazuh/comments/11xn1yf/how_to_write_a_rule_for_fields_comparison/

[German DiCasas]

Yes,  but need to be first    %%1794  and then  dateXYZ. The pipe is a OR.  Or I miss something? 

[Jorge Eduardo Molas]

Hello German.

I'm handling your case because Mario is currently on leave.

Reading the thread, I think I understand what he wants to achieve. The problem I infer is that first, you are trying to have the rule filter by an event value and the second rule (correlative rule) when the first rule is repeated more than x times to capture the username.

But, I think you will never get the desired result, because you are already filtering events and generating alerts with win.eventdata.passwordLastSet: '%%1794'. Consequently, if the correlative rule triggers an alert, it will be with this passwordLastSet value, which is not the desired one.

I guess, you should look for another filtering route for the first rule that allows you to filter this event and generate the alert and then it repeats x times, there you filter by the event win.eventdata.passwordLastSet: YYYY-mm-dd.If you have multiple examples of this eventId, we could check a field that can be configured so that the first alert is generated.

In conclusion, the first filter in rule one blocks your attempt at rule two (correlated), as it corresponds to the same event id but with different values of the same key.

[German DiCasas]

thanks or the reply... undertand.

Tell me if it is possible to create a rule that takes information from two decoders and compares them? That is, I have decoder A with its rule 1A and decoder B with its rule 1B. I would like a 1c rule that has an if_sid_match of 1A and an if_sid_match of 1B, and then compares a port field but in decoder A it is src_port_decodera and in decoder B it is scrportdecoder_b.

That is, creating a rule to compare two variables from two different decoders, is it possible?

Regards

[Jorge Eduardo Molas]

Hi German!

You could check this link, here it explains how to use sibling decoders and comparisons between the fields.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/sibling-decoders.html

[German DiCasas]

Jorge,

I have two different decoders. Let's say it's a Fortinet decoder and another Cisco ftd decoder. I want to compare in a rule variables that the fortinet decoder has against variables of the cisco decoder.

I mean they are two completely different decoders and I don't see how to use sibling on this matter. The log that reaches each decoder is different.