Custom Rule not Working
79 views
Skip to first unread message
Diego Valiente
Apr 24, 2025, 2:43:13 PM4/24/25
to Wazuh | Mailing List
Hi Everyone,
im trying to protocoll the events 4627 and 4729
im trying to protocoll the events 4627 and 4729
i added this to the local_rules.xml but i am not having results. any ideas what im not configuren correctly?
Thanks!
<group name="windows,custom,">
<rule id="104627" level="4">
<if_sid>18107</if_sid>
<field name="win.system.eventID">4627</field>
<description>Windows: Group membership information (Event ID 4627)</description>
</rule>
<rule id="104729" level="4">
<if_sid>18107</if_sid>
<field name="win.system.eventID">4729</field>
<description>Windows: A member was removed from a security-enabled universal group (Event ID 4729)</description>
</rule>
</group>
<rule id="104627" level="4">
<if_sid>18107</if_sid>
<field name="win.system.eventID">4627</field>
<description>Windows: Group membership information (Event ID 4627)</description>
</rule>
<rule id="104729" level="4">
<if_sid>18107</if_sid>
<field name="win.system.eventID">4729</field>
<description>Windows: A member was removed from a security-enabled universal group (Event ID 4729)</description>
</rule>
</group>
Hernan Matias Villan
Apr 24, 2025, 4:44:22 PM4/24/25
to Wazuh | Mailing List
Hello, Diego
This is due to the fact that the rule you are referencing, 18107, checks for event ids that do not include the ones that you are looking for, so those ids would not trigger this rule in the first place and so your new custom rules would also never trigger (since they are child rules of 18104).
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
The solution for this is to reference rule 18107's parent instead, so in your custom rules, replace <if_sid>18107</if_sid> with <if_sid>18104</if_sid> and they should now work as expected.
This is due to the fact that the rule you are referencing, 18107, checks for event ids that do not include the ones that you are looking for, so those ids would not trigger this rule in the first place and so your new custom rules would also never trigger (since they are child rules of 18104).
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
The solution for this is to reference rule 18107's parent instead, so in your custom rules, replace <if_sid>18107</if_sid> with <if_sid>18104</if_sid> and they should now work as expected.
Reply all
Reply to author
Forward
0 new messages