Hi Sandra,
Hope you are doing good and safe.
Since you were handling the case before and you know the history , so addressed to you.
Is it possible , whenever we have any user authentication failed , could we get an email for it ?
I mean its cool that user authentication failed are located as red points on Kibana , but it would be great if we can also get an email of it.
BR
//Prachi
Hi Sandra,
I have included the rule given by you with rule id = “100007” in local_rules.xml , but on testing the email didn’t come☹
If I give rule id = “100006” , so while restarting the Wazuh manager, it gives error code as duplicate ids.
[root@sekaissecdetection ~]# cat /var/ossec/etc/rules/local_rules.xml
!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="60612" level="3" overwrite="yes">
<if_sid>60609</if_sid>
<field name="win.system.eventID">^11707$|^1033$</field>
<description>Application Installed $(win.eventdata.data)</description>
<options>no_full_log</options>
<options>no_email_alert</options>
</rule>
<rule id="100002" level="0" noalert="1">
<decoded_as>pulsesecure</decoded_as>
<description>Pulse Secure messages grouped.</description>
</rule>
<rule id="100003" level="3">
<if_sid>100002</if_sid>
<match>Remote address</match>
<description>Pulse secure: Remote address for user changed </description>
</rule>
<rule id="100004" level="3">
<if_sid>100002</if_sid>
<match>Primary authentication successful</match>
<description>Pulse Secure:Primary authentication successful</description>
</rule>
<rule id="100005" level="3">
<if_sid>100002</if_sid>
<match>Login succeeded</match>
<description>Pulse Secure:Login succeeded</description>
</rule>
<rule id="100006" level="3">
<if_sid>100002</if_sid>
<match>Primary authentication failed | Login failed | Authentication failure </match>
<description>Pulse Secure:Login failed</description>
</rule>
<rule id="100007" level="3">
<if_sid>100002</if_sid>
<options>alert_by_email</options>
<match>Primary authentication failed | Login failed | Authentication failure </match>
<description>Pulse Secure:Login failed</description>
</rule>
</group>