Event 60122
82 views
Skip to first unread message
stefano pasotti
Mar 27, 2024, 6:24:16 AM3/27/24
to Wazuh | Mailing List
Good morning, I inserted this rule in the local rules but I noticed many false positives. Is there a way to select only alerts for certain target servers? (DC1, FS1...) or/and for certain particular users? (Admin, Administrator,...)
<group name="windows,windows_security,">
<rule id="60122" level="11" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<options>no_full_log</options>
<description>User $(win.eventdata.targetUserName) logon failure - Unknown user or bad password.</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre> <group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_C$
</rule>
</group>
<rule id="60122" level="11" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<options>no_full_log</options>
<description>User $(win.eventdata.targetUserName) logon failure - Unknown user or bad password.</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre> <group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_C$
</rule>
</group>
Jorge Eduardo Molas
Mar 30, 2024, 8:17:27 PM3/30/24
to Wazuh | Mailing List
Hi Stefano, thanks for using Wazuh.
Rule 60122 is a specific rule located in the /var/ossec/ruleset/rules directory, which is part of a security monitoring solution.
To reach your objective, it may be beneficial to utilize CBD lists. Keep in mind that you might need to create a custom decoder to extract the field that you want to compare with the information contained within the created CBD list. To test out these decoders and rules, you can use the tool that Wazuh has provided.
I hope this information is helpful to you!
Regards!
Reply all
Reply to author
Forward
0 new messages