Hi,
Let me try to help here,
Wazuh will collect this particular event from Windows "Security" channel, this is an Audit event, by default it is likely Audit Local Policies are disabled, you have to go to "
Local Security Policy"
in your Windows system and enable the type of events you need to register (I'm attaching a picture for reference)
Wazuh has a set of Windows Security Rules that covers your scenario (
0580-win-security_rules.xml)
The specific rule you are looking for is this one:
<rule id="60113" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|^665$|^4761$|^666$|^4762$</field>
<options>no_full_log</options>
<description>Group account changed.</description>
<mitre>
<id>T1484</id>
</mitre> <group>gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,group_changed,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,win_group_changed,</group>
</rule>
As you can see, events 4732 and 4735 are included to match within the field name, the rule is triggered after matching rule 60103 that captures AUDIT_SUCCESS events:
<rule id="60103" level="0">
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_SUCCESS$|^success$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
Also, it is important to check first if Wazuh Agent is collecting those events ID by checking they are not excluded inside the <localfile> setting in the configuration file, specifically under the "security" channel, go to your agent's "ossec.conf" file:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4660 and EventID != 4670 and EventID != 4690 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID != 4738 and EventID != 4728 and
EventID != 4733 and EventID != 4729]</query>
</localfile>
The events above are going to be excluded by the agent unless you remove the tag EventID != xxxx.
Alternatively, you can also customize the rules using the original ones as a baseline, for example, to customize whenever an account is created working specifically with event ID 4720, you could do something like:
<!-- BEGIN Windows Audit Rules - Account Management -->
<group name="windows, windows_auditing,">
<rule id="115000" level="0">
<if_sid>60109</if_sid>
<options>no_full_log</options>
<description>User account enabled or created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="115001" level="7">
<if_sid>115000</if_sid>
<field name="win.system.eventID">^4720$</field>
<options>no_full_log</options>
<description>Security Auditing: A user account was created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- END Windows Audit Rules - Account Management -->
I hope this helps,
Regards