Wazuh - User Account deleted within 24 hours of it's creation
286 views
Skip to first unread message
Jay Nagrecha
Apr 21, 2022, 2:59:36 AM4/21/22
to Wazuh mailing list
Hello.
I am trying to create a Wazuh rule to generate an alert if a windows account is created as well as deleted within 24 hours of its creation. It must not generate an alert if someone deletes an already existing account within 24 hours of creation of some random account. For example - suppose there is already a user called "Test" and if someone creates a new account called "Test1", then deletes the account "Test" within 24 hours of creation of "Test1", NO alert must be generated. Alert must only be triggered if the account "Test1" has been deleted. Kindly guide.
Thank You
Julio Gasco
Apr 21, 2022, 11:34:29 AM4/21/22
to Wazuh mailing list
Hi Jay,
Then after removing the user on the time frame new alert was triggered
Thanks for using our community!
The following rule will achieve what you want:
<group name="windel,">
<rule id="100100" level="5" timeframe="86400">
<if_sid>60111</if_sid>
<if_matched_sid>60109</if_matched_sid>
<description>User deleted after being created within the last 24 hours</description>
</rule>
</group>
<rule id="100100" level="5" timeframe="86400">
<if_sid>60111</if_sid>
<if_matched_sid>60109</if_matched_sid>
<description>User deleted after being created within the last 24 hours</description>
</rule>
</group>
Line: <if_sid>60111</if_sid> is the rule that triggers when a user is deleted on windows.
To make sure the user was created on the last 24 hours we will use <if_matched_sid>60109</if_matched_sid> rule 60109 is the rule triggered when a user was created.
On the new rule title we define the timeframe of the if_matched_sid field <rule id="100100" level="5" timeframe="86400"> 86400 seconds = 24 hours
Below is an example I replicated on my lab
User created rule was first triggered:
Jay Nagrecha
Apr 22, 2022, 3:54:58 AM4/22/22
to Wazuh mailing list
Thank you for the response. As I had already mentioned, I have already implemented the exact rule you sent, and is working perfectly already. The only challenge I am having is that there is an ambiguity in this rule itself. There are high possibilities of false positives and hence to eliminate them, the only challenge to overcome is to satisfy these conditions : Wazuh must trigger an alert only and only if the same user which is created, is deleted within 24 hours. Please guide for the same.
ΣЯMЦЯΣПZ
Dec 26, 2024, 12:23:56 AM12/26/24
to Wazuh | Mailing List
Hi,
i know this is a very old post but i'm on the same situation right now.
Have you found the solution for this one?
I'm going to trying this:
add this line inside the rule
<same_field>win.eventdata.targetUserName</same_field>
but i'm not sure if this is the right way.
tnks in advanced.
i know this is a very old post but i'm on the same situation right now.
Have you found the solution for this one?
I'm going to trying this:
add this line inside the rule
<same_field>win.eventdata.targetUserName</same_field>
but i'm not sure if this is the right way.
tnks in advanced.
Reply all
Reply to author
Forward
0 new messages