Configuring alert based on rule match
195 views
Skip to first unread message
Tedew
Jul 27, 2023, 3:27:21 AM7/27/23
to Wazuh mailing list
hello,
Sorry for trivaial question but I'm new in Wazuh world :)
Maybe someone will gudie in my ask.
I have to configure alert and send mail when someone will use domain Admin account to login on DC Controllers.
I know that first i have to set mail config - i will do it - there is nice instruction on Wazu page
But where to set alert based on rule match in agent.conf file ??
I wan to use
<email_alerts> <email_to>M...@mail.com</email_to> <rule_id>
60106,60118 </rule_id><match> Administraor , MY_DOMAIN_NAME </match>
<do_not_delay /> </email_alerts>
Is it correct :) ??Thank You
Is it correct :) ??Thank You
Awwal Ishiaku
Jul 27, 2023, 4:34:03 AM7/27/23
to Wazuh mailing list
Hi,
You need to add the configuration to your Wazuh server /var/ossec/etc/ossec.conf file.
Ensure to restart the wazuh manager to apply the changes
You need to add the configuration to your Wazuh server /var/ossec/etc/ossec.conf file.
Ensure to restart the wazuh manager to apply the changes
systemctl restart wazuh-manager
Regards
Awwal Ishiaku
Jul 27, 2023, 4:35:56 AM7/27/23
to Wazuh mailing list
Also, you cannot use <match> in your configuration file.
That is an option reserved for rule files.
That is an option reserved for rule files.
So I guess you need to create a rule if you want to match specific usernames.
And reference that rule in your email configuration
And reference that rule in your email configuration
Tedew
Jul 27, 2023, 6:59:12 AM7/27/23
to Wazuh mailing list
hello,
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<options>no_full_log</options>
<description>Windows logon success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Thank You for info,
So, to summarize
1. I have to configure postfix as in this article - https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html
2. Create rule
A Open File 0580-win-security_rules.xml
B. copy intrested rule to some text editor
<rule id="60106" level="3">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<options>no_full_log</options>
<description>Windows logon success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
C. Modyfie rule and copy it to local_rules.xml on the server ???
<rule id="
"100010" level="3" >
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<options>no_full_log</options>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<options>no_full_log</options>
<field name="targetDomainName">MY_DOMAIN_NAME</field>
<match> Administrator </match>
<description>Domian Administrator logon success on the Server.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<description>Domian Administrator logon success on the Server.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
or I can have two field rows instead of match ??
<field name="targetDomainName">MY_DOMAIN_NAME</field>
<field name="targetUserName">Administrator</field>
D. on the Wazuch server in /var/ossec/etc/ossec.conf file put this
<email_alerts> <email_to>M...@mail.com</email_to>
<rule_id> 100010 </rule_id>
<do_not_delay />
</email_alerts>
restrat Wazuh
Correct :) ??
Thank You
restrat Wazuh
Correct :) ??
Thank You
Tedew
Jul 27, 2023, 8:01:39 AM7/27/23
to Wazuh mailing list
hello,
<rule id="100010" level="3">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<description>Domian Administrator logon success on the Server.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
I did like this is local_ruels.xml
<group name="windows,windows_security,">
<rule id="100010" level="3">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<field name="win.eventdata.targetDomainName">^MY_DOMAIN$</field>
<field name="win.eventdata.targetUserName">^Administrator$</field>
<options>no_full_log</options>
<field name="win.eventdata.targetUserName">^Administrator$</field>
<options>no_full_log</options>
<description>Domian Administrator logon success on the Server.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
I restarted Wazuh, then i logged in to the server but i don't see this alert on Agent page -> Secutiry Events -> Eevnts I see only those orginal rules 60106 (Windows login success)
Something wrong in my syntax ??
Tedew
Jul 28, 2023, 4:41:00 AM7/28/23
to Wazuh mailing list
hello,
<rule id="100011" level="3">
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: Admmin logged using Remote Desktop Connection (RDP) .</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
<group name="windows,">
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
Then i lunched the test but all the times the result in step 3 is returning rule ID
92653
Still not working for me the triger of my custom rules:(
I did another test
in local_rules.xlx i copied and modyfied another rule (based on rule id 92653) , i changed only id and description
<rule id="100011" level="3">
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: Admmin logged using Remote Desktop Connection (RDP) .</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
this rule is based on rule id 92653
Then I changed in file 0575-win-base_rule.xml for testing
<group name="windows,">
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
**Phase 3: Completed filtering (rules).
id: '92653'
level: '3'
but I think that shoud return id 92653 and 100011 if both rules are equal??
Thanks
Tedew
Jul 28, 2023, 8:54:28 AM7/28/23
to Wazuh mailing list
hello,
issue solved. i changed level for 4 and now is working :)
Reply all
Reply to author
Forward
0 new messages