CASO DE USO PARA ID EVENTO 4624
38 views
Skip to first unread message
stefanny chavez anto
Nov 27, 2025, 5:21:40 AM (4 days ago) Nov 27
to Wazuh | Mailing List
Buenos días, necesto su apoyo para configurar el siquiente caso de uso:
Id de evento: 4624
Rule Name: Unusual Successful Logon
Description: Detects logons using privileged accounts or from suspicious logon types.
Detection Logic / Condition: LogonType not in (2,3); Account = Domain Admin; Time = Non-business hours
SOC Action Plan: "Alert if: Privileged account logs in with unusual logon type
Internal Follow-Up : Confirm login source; Reset credentials if needed
He realizado estas configuraciones en la ruta:
/var/ossec/etc/rules/local_rules.xml pero me sale error en la sintaxis:
Could not upload rule (1113) - XML syntax error
Error: Could not upload rule (1113) - XML syntax error
at WzRequest.returnErrorInstance (https://172.29.170.55/414003/bundles/plugin/wazuh/wazuh.plugin.js:1:501689)
at WzRequest.apiReq (https://172.29.170.55/414003/bundles/plugin/wazuh/wazuh.plugin.js:1:500831)
at async resources_handler_ResourcesHandler.updateFile (https://172.29.170.55/414003/bundles/plugin/wazuh/wazuh.chunk.2.js:1:4155928)
at async file_editor_WzFileEditor.save (https://172.29.170.55/414003/bundles/plugin/wazuh/wazuh.chunk.2.js:1:4224963)
<group name="windows,logon_unusual_detection,">
<rule id="100011" level="3" ignore="yes">
<if_sid>31102</if_sid> <field name="win.eventdata.logonType">^4|^5|^6|^7|^8|^9|^10|^11</field>
<options>no_alert</options>
<description>Aux: Logon Type Inusual (4,5,6,7,8,9,10,11)</description>
</rule>
<rule id="100012" level="3" ignore="yes">
<if_sid>31102</if_sid> <list field="win.eventdata.targetUserName" lookup="match_key_value">etc/lists/domain_admins.txt</list>
<options>no_alert</options>
<description>Aux: Logon de Cuenta de Domain Admin</description>
</rule>
<rule id="100013" level="3" ignore="yes">
<if_sid>31102</if_sid>
<time>00:00-07:59,20:00-23:59</time>
<options>no_alert</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
</group>
<rule id="100011" level="3" ignore="yes">
<if_sid>31102</if_sid> <field name="win.eventdata.logonType">^4|^5|^6|^7|^8|^9|^10|^11</field>
<options>no_alert</options>
<description>Aux: Logon Type Inusual (4,5,6,7,8,9,10,11)</description>
</rule>
<rule id="100012" level="3" ignore="yes">
<if_sid>31102</if_sid> <list field="win.eventdata.targetUserName" lookup="match_key_value">etc/lists/domain_admins.txt</list>
<options>no_alert</options>
<description>Aux: Logon de Cuenta de Domain Admin</description>
</rule>
<rule id="100013" level="3" ignore="yes">
<if_sid>31102</if_sid>
<time>00:00-07:59,20:00-23:59</time>
<options>no_alert</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
</group>
Obinna Uchubilo
Nov 27, 2025, 7:15:25 AM (4 days ago) Nov 27
to Wazuh | Mailing List
Hello Stefanny,
From your rules, there are two issues with the syntax. First, the value of the tag ignore is any number from 1 to 999999, representing the time (in seconds) to ignore a rule after it triggers (to avoid floods). Refer to our documentation. The second issue is the value of the options tag. You can refer to our documentation here to see the acceptable values for this tag.
From your rules, there are two issues with the syntax. First, the value of the tag ignore is any number from 1 to 999999, representing the time (in seconds) to ignore a rule after it triggers (to avoid floods). Refer to our documentation. The second issue is the value of the options tag. You can refer to our documentation here to see the acceptable values for this tag.
Regards
stefanny chavez anto
Nov 27, 2025, 11:37:19 AM (4 days ago) Nov 27
to Wazuh | Mailing List
Me pueden ayudar cual es la forma correcta de esas 3 reglas?
Obinna Uchubilo
Nov 28, 2025, 8:15:00 PM (2 days ago) Nov 28
to Wazuh | Mailing List
Hello Stefanny,
The rules should look like this
<group name="windows,logon_unusual_detection,">
<rule id="100011" level="3" ignore="120">
<if_sid>31102</if_sid>
<field name="win.eventdata.logonType" type="pcre2">^4|^5|^6|^7|^8|^9|^10|^11</field>
<options>no_alert</options>
<description>Aux: Logon Type Inusual (4,5,6,7,8,9,10,11)</description>
</rule>
<rule id="100012" level="3" ignore="120">
<if_sid>31102</if_sid>
<list field="win.eventdata.targetUserName" type="pcre2" lookup="match_key_value">etc/lists/domain_admins.txt</list>
<options>no_log</options>
<description>Aux: Logon de Cuenta de Domain Admin</description>
</rule>
<rule id="100013" level="3" ignore="120">
<if_sid>31102</if_sid>
<time>00:00-07:59</time>
<options>no_log</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
<rule id="100014" level="3" ignore="120">
<if_sid>31102</if_sid>
<time>20:00-23:59</time>
<options>no_log</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
</group>
Regards
The rules should look like this
<group name="windows,logon_unusual_detection,">
<rule id="100011" level="3" ignore="120">
<if_sid>31102</if_sid>
<field name="win.eventdata.logonType" type="pcre2">^4|^5|^6|^7|^8|^9|^10|^11</field>
<options>no_alert</options>
<description>Aux: Logon Type Inusual (4,5,6,7,8,9,10,11)</description>
</rule>
<if_sid>31102</if_sid>
<list field="win.eventdata.targetUserName" type="pcre2" lookup="match_key_value">etc/lists/domain_admins.txt</list>
<options>no_log</options>
<description>Aux: Logon de Cuenta de Domain Admin</description>
</rule>
<if_sid>31102</if_sid>
<time>00:00-07:59</time>
<options>no_log</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
<if_sid>31102</if_sid>
<time>20:00-23:59</time>
<options>no_log</options>
<description>Aux: Logon Fuera de Horario Laboral (Non-business hours)</description>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages