New Case : Pulse secure logs on Wazuh Manager for Authentication Failed

255 views
Skip to first unread message

Prachi Katakwar

unread,
Jun 15, 2021, 12:33:29 AM6/15/21
to Sandra Ocando, Wazuh mailing list

Hi Sandra,

 

Since you know the complete history of our use case, so that’s why addressed the new case to you of the same old Pulse secure logs on Wazuh manager.

 

Opened a new case, may we have a custom rule and decoder for authentication failed for the below Pulse secure log on Wazuh manager, since this is coming three times from same source IP with different context, can we club them into 1 common rule and decoder, such that if any of the three logs come on Wazuh Manager, we get the GEO information associated with source IP.

 

1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] kalle....@optus.com.au(CUST)[] - Authentication failure for AD server 'vmxe014-vmxe064': specified account does not exist

 


1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] optus.com.au\kalle.iivonen(CUST)[] - Primary authentication failed for optus.com.au\kalle.iivonen/vmxe014-vmxe064 from 203.13.128.104

 


1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] optus.com.au\kalle.iivonen(CUST)[] - Login failed using auth server vmxe014-vmxe064 (Active Directory). Reason: Invalid Credentials

 

 

For the above authentication failed log , may we have a red colour  points on Kibana map, and can we simultaneously have  on the same map view both green and red points?( User login successful and user login failed)

 

 

Also , I have one doubt ,

 

The geo information would be coming for only those alerts of Pulse secure associated with source ip on Wazuh manager , whose custom rule and decoder is set? I mean the geo location wont come every alert of Pulse secure associated with source IP on Wazuh manager..Am I right in my understanding?

 

Waiting to hear from you.

 

BR

//Prachi

 

Sandra Ocando

unread,
Jun 15, 2021, 6:10:24 AM6/15/21
to Prachi Katakwar, Wazuh mailing list
Hello Prachi,

Here are the custom decoders for the new logs you sent me:

<!--

1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] kalle....@optus.com.au(CUST)[] - Authentication failure for AD server 'vmxe014-vmxe064': specified account does not exist
-->
<decoder name="pulsesecure_authentication_failure">
    <prematch>Authentication failure</prematch>
    <parent>pulsesecure</parent>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Authentication failure for AD server '(\S+)'</regex>
    <order>pulsecure_time,srcip, user</order>
</decoder>
<!--

1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] optus.com.au\kalle.iivonen(CUST)[] - Primary authentication failed for optus.com.au\kalle.iivonen/vmxe014-vmxe064 from 203.13.128.104
-->
<decoder name="pulsesecure_primary_authentication_failed">
    <prematch>Primary authentication failed</prematch>
    <parent>pulsesecure</parent>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Primary authentication failed for (\S+) from \S+</regex>
    <order>pulsecure_time,srcip,user</order>
</decoder>
<!--

1 2021-06-15T05:43:10+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-15 05:43:10 - seliinfw00006 - [203.13.128.104] optus.com.au\kalle.iivonen(CUST)[] - Login failed using auth server vmxe014-vmxe064 (Active Directory). Reason: Invalid Credentials
-->
<decoder name="pulsesecure_login_failed">
    <prematch>Login failed</prematch>
    <parent>pulsesecure</parent>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Login failed using auth server (\S+) \(Active Directory\). Reason: Invalid Credentials</regex>
    <order>pulsecure_time,srcip,user</order>
</decoder>

Please note that the old custom decoder "pulsesecure_primary_authentication" prematch needs to be modified the following way:

<decoder name="pulsesecure_primary_authentication">
    <prematch>Primary authentication successful</prematch>
    <parent>pulsesecure</parent>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) .+ - Primary authentication successful for (\S+) from (\S+)</regex>
    <order>pulsecure_time,user,srcip</order>
</decoder>

Here's a custom rule "Pulse Secure:Login failed" for the new decoders:

  <rule id="100006" level="3">
    <if_sid>100002</if_sid>
    <match>Primary authentication failed | Login failed | Authentication failure </match>
    <description>Pulse Secure:Login failed</description>
  </rule>  

To create a map with green dots for the authentication success and red dots for the failed login you can create a map with a couple of layers and add a filter for each one (see attached images for more details).

1. Create a new map and add a Documents layer.
2. Add wazuh-alerts-* index pattern and click on Add layer.
3. Write the layer name, for example, "Login successful" .
4. Scroll down and look for Filtering > Add filter and add a filter, for example, rule.id:100005 and click on Set filter.  Click on Save & close on the bottom right corner.
5. Add a new layer.
6. Write the new layer name, for example, " Login failed".
7. Add a filter, for example, rule.id:100006.
8. Select Layer Style and pick a color, for example, red.
9. Save your map.

Regarding your question "The geo information would be coming for only those alerts of Pulse secure associated with source ip on Wazuh manager , whose custom rule and decoder is set? I mean the geo location wont come every alert of Pulse secure associated with source IP on Wazuh manager..Am I right in my understanding?"  Geo information is added once "srcip" is decoded, so in order to get this information a custom decoder should be added for all the relevant Pulse Secure logs.

Best regards,
Sandra.
New_map_add_layer(1).png
Add_Wazuh_alerts_index_pattern(2).png
Set_layer_name(3).png
Add_filtering(4).png
Add_new_layer(5).png
New_layers_name(6).png
Add_filtering(7).png
Select_color(8).png
Save_map(9).png

Prachi Katakwar

unread,
Jun 20, 2021, 9:30:24 AM6/20/21
to Sandra Ocando, Wazuh mailing list

Hi Sandra,

 

Sincere Apologies for the delay in reply, everything is working perfectly fine as per your guidance and we can happily close the case.

 

Thanks for your patience all throughout and time.

 

BR

//Prachi

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BFx3jx8v7%2BipURHdERM8eMAe1km2dS7uSeGN8%2Bq_nw8Pgyxdg%40mail.gmail.com.

Reply all
Reply to author
Forward
0 new messages