Wazuh: Logon Type notifications
17 views
Skip to first unread message
Kara Tanaka
Dec 3, 2024, 8:57:23 PM12/3/24
to Wazuh | Mailing List
Hello,
I'm trying to create notifications for certain types of logins during certain time periods. When I use the default rules, there's way too many notifications, so I'm hoping to narrow down the notifications to logon types 2, 3, 8, and 10 (and no service accounts). My ruleset in local rules does not seem to be working (see below). I also restarted the Wazuh manager and tried "Logon Type: 3" (with extra spaces). Any idea how I can make this work?
<group name="policy_violation,">
<rule id="100011" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100012" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100013" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 2</match>
<description>Successful interactive login (type 2) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100014" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 2</match>
<description>Successful interactive login (type 2) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100017" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100018" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100015" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 10</match>
<description>Successful remote interactive login (type 10) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100016" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 10</match>
<description>Successful remote interactive login (type 10) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100019" level="12">
<if_group>authentication_success</if_group>
<time>6 pm - 8:30 am</time>
<match>Logon Type: 8</match>
<description>Successful networkcleartext login (type 8) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100020" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 8</match>
<description>Successful networkcleartext login (type 8) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<group name="exceptions,">
<rule id="100021" level="0">
<if_sid>100011, 100012, 100013, 100014, 100015, 100016, 100017, 100018, 100019, 100020</if_sid>
<match>Account Name: SYSTEM</match>
<description>Ignore system user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100022" level="0">
<if_sid>100011, 100012, 100013, 100014, 100015, 100016, 100017, 100018, 100019, 100020</if_sid>
<match>Account Name: svc_123</match>
<description>Ignore palo alto user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<rule id="100011" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100012" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100013" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 2</match>
<description>Successful interactive login (type 2) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100014" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 2</match>
<description>Successful interactive login (type 2) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100017" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100018" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 3</match>
<description>Successful network login (type 3) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100015" level="12">
<if_group>authentication_success</if_group>
<time>12 pm - 8:30 am</time>
<match>Logon Type: 10</match>
<description>Successful remote interactive login (type 10) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100016" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 10</match>
<description>Successful remote interactive login (type 10) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100019" level="12">
<if_group>authentication_success</if_group>
<time>6 pm - 8:30 am</time>
<match>Logon Type: 8</match>
<description>Successful networkcleartext login (type 8) during non-business hours.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100020" level="12">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<match>Logon Type: 8</match>
<description>Successful networkcleartext login (type 8) during weekend.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<group name="exceptions,">
<rule id="100021" level="0">
<if_sid>100011, 100012, 100013, 100014, 100015, 100016, 100017, 100018, 100019, 100020</if_sid>
<match>Account Name: SYSTEM</match>
<description>Ignore system user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100022" level="0">
<if_sid>100011, 100012, 100013, 100014, 100015, 100016, 100017, 100018, 100019, 100020</if_sid>
<match>Account Name: svc_123</match>
<description>Ignore palo alto user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Stuti Gupta
Dec 4, 2024, 2:23:53 AM12/4/24
to Wazuh | Mailing List
Hi Kara Tanka
Can you please share the sample logs for which you have created this rules for testing purpose. To know more about rule syntax you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Hope to hear from you soon
Can you please share the sample logs for which you have created this rules for testing purpose. To know more about rule syntax you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Hope to hear from you soon
Reply all
Reply to author
Forward
0 new messages