Email Notification -User Authentication Failed - New Case

49 views
Skip to first unread message

Prachi Katakwar

unread,
Jun 29, 2021, 8:26:38 AM6/29/21
to Sandra Ocando, Wazuh mailing list

Hi Sandra,

 

Hope you are doing good and safe.

 

Since you were handling the case before and you know the history , so addressed to you.

 

 

Is it possible , whenever we have any user authentication failed , could we get an email for it ?

 

I mean its cool that user authentication failed are located as red points on Kibana , but it would be great if we can also get an  email of it.

 

 

BR

//Prachi

 

 

Sandra Ocando

unread,
Jun 30, 2021, 2:42:06 AM6/30/21
to Prachi Katakwar, Wazuh mailing list
Hi Prachi,

To configure these email notifications you may modify the custom rule to include the alert by mail option:

<rule id="100006" level="3">
  <if_sid>100002</if_sid>
  <options>alert_by_email</options>
  <match>Primary authentication failed | Login failed | Authentication failure </match>
  <description>Pulse Secure:Login failed</description>
 </rule>

This configuration will override your global settings and you will receive the email notifications although the alert level may be lower than the global setting. Remember to restart the Wazuh manager after editing the rules.

Best regards,
Sandra.

Prachi Katakwar

unread,
Jun 30, 2021, 8:57:17 AM6/30/21
to Sandra Ocando, Wazuh mailing list

Hi Sandra,

 

I have included the rule given by you  with rule id = “100007” in local_rules.xml , but on testing the email didn’t come

 

If I give rule id = “100006” , so while  restarting the Wazuh manager, it gives error code as duplicate ids.

 

 

[root@sekaissecdetection ~]# cat /var/ossec/etc/rules/local_rules.xml

!-- Local rules -->

 

<!-- Modify it at your will. -->

<!-- Copyright (C) 2015-2020, Wazuh Inc. -->

 

<!-- Example -->

<group name="local,syslog,sshd,">

 

  <!--

  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2

  -->

  <rule id="100001" level="5">

    <if_sid>5716</if_sid>

    <srcip>1.1.1.1</srcip>

    <description>sshd: authentication failed from IP 1.1.1.1.</description>

    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

  </rule>

 

  <rule id="60612" level="3" overwrite="yes">

    <if_sid>60609</if_sid>

    <field name="win.system.eventID">^11707$|^1033$</field>

    <description>Application Installed $(win.eventdata.data)</description>

    <options>no_full_log</options>

    <options>no_email_alert</options>

   </rule>

 

  <rule id="100002" level="0" noalert="1">

    <decoded_as>pulsesecure</decoded_as>

    <description>Pulse Secure messages grouped.</description>

  </rule>

  <rule id="100003" level="3">

    <if_sid>100002</if_sid>

    <match>Remote address</match>

    <description>Pulse secure: Remote address for user changed </description>

  </rule>

  <rule id="100004" level="3">

    <if_sid>100002</if_sid>

    <match>Primary authentication successful</match>

    <description>Pulse Secure:Primary authentication successful</description>

  </rule>

 

<rule id="100005" level="3">

    <if_sid>100002</if_sid>

    <match>Login succeeded</match>

    <description>Pulse Secure:Login succeeded</description>

  </rule>

 

  <rule id="100006" level="3">

    <if_sid>100002</if_sid>

   <match>Primary authentication failed | Login failed | Authentication failure </match>

    <description>Pulse Secure:Login failed</description>

  </rule>

 

<rule id="100007" level="3">

  <if_sid>100002</if_sid>

  <options>alert_by_email</options>

  <match>Primary authentication failed | Login failed | Authentication failure </match>

  <description>Pulse Secure:Login failed</description>

</rule>

 

</group>

Reply all
Reply to author
Forward
0 new messages