Want to filter out TargetUsername
684 views
Skip to first unread message
Tom Powers
May 17, 2022, 3:31:40 PM5/17/22
to Wazuh mailing list
Hello,
On windows, we have a lot of 4624 (successful logons) events for the computer account being recorded...which is just noise to us. For example Exchange2019$ is being recorded in the data.win.eventdata.targetUserName
So the question is... what's the best way to filter these out so we don't waste storage with these?
Is it best to create a rule that if it sees a 4624 event, coming from rule ID 60106 and if the Targetusername has a $ in it, to set it's value back to 0 ?
OR
So the question is... what's the best way to filter these out so we don't waste storage with these?
Is it best to create a rule that if it sees a 4624 event, coming from rule ID 60106 and if the Targetusername has a $ in it, to set it's value back to 0 ?
OR
Would it be better to put some sort of filter into the group Ossec.conf to not even send the event 4624 if the targetusername has a $ in it?
Which way is better, and what would the appropriate configuration look like?
Which way is better, and what would the appropriate configuration look like?
All insight is appreciated
Julio Gasco
May 17, 2022, 4:56:14 PM5/17/22
to Wazuh mailing list
Hi Thomas
Thanks for using our community!
On windows Agent´s ossec.conf (or agent.conf if centralized configuration is being used) you can avoid an entire event from being detected but you won´t be able to filter there through an specific user triggering that event, you would be silencing all 4624 events altogether.
You will need to implement a rule like the following to silence the alerts triggered by that user, remember $ its a special character so it needs to be escaped with \
<rule id="100145" level="0">
<if_sid>60106</if_sid>
<field name="win.eventdata.targetUserName">Exchange2019\$</field>
<description>Silence Alert </description>
</rule>
To avoid the Event altogether on your ossec.conf (or shared agent.conf) edit the localfile for eventchannel and add the EventID != 4624 It will look like this:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4624
EventID != 4656 and EventID != 4658 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4624
EventID != 4656 and EventID != 4658 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
Reference:
Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation (regex syntax and especial characters)
Rules Syntax - Ruleset XML syntax · Wazuh documentation (rules syntax)
localfile - Local configuration (ossec.conf) · Wazuh documentation (information on eventchannel configurations)
Regards!
Reply all
Reply to author
Forward
0 new messages