Stolen Password
198 views
Skip to first unread message
Luca Bassi
Oct 26, 2023, 10:32:23 AM10/26/23
to Wazuh | Mailing List
Hi all, my name is Luca and I'm the CISO of an Italian company. I have been using Wazuh for several years starting from local installation and arriving to docker version and I give my compliments about the quality of this SIEM/XDR.
One question: is there a way to detect simultaneous login connections from different ip or unusual ip connection in data logs coming from Office 365?
I have enabled the Office 365 connector but I have no alerts about users anomaly activities (stolen password). Actually I'm receiving login data, phishing attack and all other logs from Office 365 but not if a user login from different simultaneous ip or unusual ip. That's a way to create a rules to scan logs data and find anomalies in users login? I can't find any type of documents to help me or understand if there is a way. I know about Microsoft services that can prevent this but they are very expensive.
Thank you very much for you help
Best
Luca
Jimmy
Oct 26, 2023, 11:09:39 AM10/26/23
to Wazuh | Mailing List
Hi,
I've only recently been using Wazuh but have been working in cyber with other tools for close to two years now, so I thought I'd offer some help.
I've noticed that when a user logs in, at least with Okta, the IP address and location are stored in the logs. You can use any GeoIP service such as MaxMind if your setup doesn't have it, just make an API call. But the important part is the haversine distance. The distance from one location to another accounting for the curvature of the earth. This you can compare this value with a realistic travel time and if the estimated travel time is greater than the realistic travel time, you can trigger an alert saying "Geo-Impossible Login", the user logged in from two different locations in too short of a time.
Note that anytime someone uses a VPN or Proxy, this alert gets triggered as well, but filtering it out could hide threat actors activity so it's just part of it.
I hope that helps.
Best,
Jimmy
Luca Bassi
Oct 27, 2023, 3:59:01 AM10/27/23
to Wazuh | Mailing List
Hi Jimmy, really interesting suggestion for developing an efficacious algorithm. My compliments!!!
Wazuh with Elastic search already has support for geo-location and obviously you also have to think about the hardware resource needed by our servers for real time analysis. To start it might be sufficient to have a rule/background script that detects the anomalous connection based only on the simultaneity of the connection for each user and the time in which it changes in order to generate an alert that can allow an immediate and effective analysis and provide for a "managed" remediation with known possible false positives (easier to check). I fought for everyone to be equipped with mfa and succeeded but, like any business, it is a progressive transition. However, service users remain outside of this context: tokens used for APIs with rotation through KMS services (often stay there for months) and others to which additional security supports cannot be assigned. Tracking of this kind would, in my opinion, be the missing link. With AWS Cloud we have this type of control and analysis without and addition expensive budget but not from Microsoft.
Best
Luca Bassi
Oct 27, 2023, 4:41:54 AM10/27/23
to Wazuh | Mailing List
Hi all, I found on openai a possible solution to create an alert about multiple connection for the same login or anomaly detection using IP data information and a time range to reduce false positive about users traveling:
To create a rule in Wazuh that detects multiple source IP addresses for the same login within a given time range, you can use Wazuh's threat detection module and define a custom rule based on authentication logs. You can take advantage of Wazuh's time correlation features to set the time range. Here's how you can do it:
1. **Log in to your Wazuh server**: Log in to your Wazuh server via SSH or a local session.
2. **Navigate to the custom rules directory**: Usually, custom Wazuh rules are created in the `/var/ossec/etc/rules/local` directory on the Wazuh server.
3. **Create a new rule file**: Use a text editor, such as `nano` or `vi`, to create a new rule file within the local directory. For example:
```
sudo nano /var/ossec/etc/rules/local/your_custom_rules.xml
```
Replace `your_custom_rules` with a descriptive name for your rule.
4. **Define Rule**: Enter the definition of your rule in the XML file. Here is an example of a rule to locate multiple source IP addresses for the same login within a given time interval (e.g., 10 minutes):
```xml
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>.
<description>Detects multiple source IPs for the same login in the time range</description>.
<options>timefr Translated with www.DeepL.com/Translator (free version)
1. **Log in to your Wazuh server**: Log in to your Wazuh server via SSH or a local session.
2. **Navigate to the custom rules directory**: Usually, custom Wazuh rules are created in the `/var/ossec/etc/rules/local` directory on the Wazuh server.
3. **Create a new rule file**: Use a text editor, such as `nano` or `vi`, to create a new rule file within the local directory. For example:
```
sudo nano /var/ossec/etc/rules/local/your_custom_rules.xml
```
Replace `your_custom_rules` with a descriptive name for your rule.
4. **Define Rule**: Enter the definition of your rule in the XML file. Here is an example of a rule to locate multiple source IP addresses for the same login within a given time interval (e.g., 10 minutes):
```xml
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>.
<description>Detects multiple source IPs for the same login in the time range</description>.
<options>timefr Translated with www.DeepL.com/Translator (free version)
Best
Luca
Luca Bassi
Oct 27, 2023, 6:35:06 AM10/27/23
to Wazuh | Mailing List
Sorry, I'm using DeepL for more fast response.
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
his One with a specific IP
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<description>Rileva più IP di provenienza per la stessa login nel time range</description>
<options>timeframe>600</options>
<field name="data.srcip">your_ip_here</field>
<group>1</group>
</rule>
<group>1</group>
</group>
This one using the real user ip not defined by you:
<options>timeframe>600</options>
<field name="data.srcip">your_ip_here</field>
<group>1</group>
</rule>
<group>1</group>
</group>
This one using the real user ip not defined by you:
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<description>Rileva più IP di provenienza per la stessa login nel time range</description>
<options>timeframe>600</options>
<field name="user.name">(.+)</field>
<field name="data.srcip">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
<options>timeframe>600</options>
<field name="user.name">(.+)</field>
<field name="data.srcip">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<description>Rileva più IP di provenienza per la stessa login nel time range</description>
<options>timeframe>600</options>
<field name="data.win.eventdata.targetUserName">(.+)</field>
<field name="data.win.eventdata.ipAddress">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
This One for Office 365 integration:
<options>timeframe>600</options>
<field name="data.win.eventdata.targetUserName">(.+)</field>
<field name="data.win.eventdata.ipAddress">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
This One for Office 365 integration:
<group name="authentication">
<rule id="100001" level="5">
<decoded_as>json</decoded_as>
<description>Rileva più IP di provenienza per la stessa login nel time range</description>
<options>timeframe>600</options>
<field name="data.office365.UserId">(.+)</field>
<field name="data.office365.ClientIP">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
<options>timeframe>600</options>
<field name="data.office365.UserId">(.+)</field>
<field name="data.office365.ClientIP">(.+)</field>
<group>1</group>
</rule>
<group>1</group>
</group>
I will update you as soon as I tested in my enviroment
Best
Luca
Reply all
Reply to author
Forward
0 new messages