User creation and deletion
39 views
Skip to first unread message
Jorge Moya Albarran
Sep 1, 2025, 6:24:39 AM (6 days ago) Sep 1
to Wazuh | Mailing List
Good morning,
Can anyone help me develop a rule that detects the creation and deletion of users (both) within 24 hours of their creation? This is the rule I have developed, but nothing happens because I don't think you can put two “if_matched_sid” in the same rule.
<rule id="100216" level="9" timeframe="86400">
<if_matched_sid>100215</if_matched_sid>
<if_matched_sid>60109</if_matched_sid>
<same_user/>
<description>User deleted within 24 hours of its creation</description>
<group>critical,windows,active_directory,user_created_deleted,</group>
</rule>
Rule 100215 is a rule created to detect users disabled or deleted within 24 hours.
Rule 60109 detects account creation or activation.
I need to link the two rules but can't figure out how.
Thank you, best regards.
Translated with DeepL.com (free version)
Can anyone help me develop a rule that detects the creation and deletion of users (both) within 24 hours of their creation? This is the rule I have developed, but nothing happens because I don't think you can put two “if_matched_sid” in the same rule.
<rule id="100216" level="9" timeframe="86400">
<if_matched_sid>100215</if_matched_sid>
<if_matched_sid>60109</if_matched_sid>
<same_user/>
<description>User deleted within 24 hours of its creation</description>
<group>critical,windows,active_directory,user_created_deleted,</group>
</rule>
Rule 100215 is a rule created to detect users disabled or deleted within 24 hours.
Rule 60109 detects account creation or activation.
I need to link the two rules but can't figure out how.
Thank you, best regards.
Translated with DeepL.com (free version)
Anthony Faruna
Sep 1, 2025, 4:14:51 PM (6 days ago) Sep 1
to Wazuh | Mailing List
Hello Jorge,
Please try the rule below and let me know if it meets your requirements.
<rule id="100216" level="10" timeframe="86400">
<if_sid>60109,60111</if_sid>
<field name="win.system.message">A\suser\saccount\swas\screated|A\suser\saccount\swas\sdeleted</field>
<description>User account created or deleted within 24 hours of its creation</description>
</rule>
Best Regards
Please try the rule below and let me know if it meets your requirements.
<rule id="100216" level="10" timeframe="86400">
<if_sid>60109,60111</if_sid>
<field name="win.system.message">A\suser\saccount\swas\screated|A\suser\saccount\swas\sdeleted</field>
<description>User account created or deleted within 24 hours of its creation</description>
</rule>
Best Regards
Reply all
Reply to author
Forward
0 new messages