create file alert.json custom for a rule
168 views
Skip to first unread message
Jk
Jul 6, 2023, 9:36:26 AM7/6/23
to Wazuh mailing list
Hi, in the /var/ossec/logs/alerts folder I see an alert.json file with events captured by the 0580-win-security_rules.xml file rule. now I made a custom rule like this: <rule id="100002" level="3">
<decoded_as>json</decoded_as>
<if_group>windows_security</if_group>
<description>Test log referer ....</description>
<field name="win.eventdata.targetUserName">name.surname</field>
</rule>
which is a rule included in the previous one. can I create a name.surname.json file that includes the events captured by this rule?
Thank you
jk
<decoded_as>json</decoded_as>
<if_group>windows_security</if_group>
<description>Test log referer ....</description>
<field name="win.eventdata.targetUserName">name.surname</field>
</rule>
which is a rule included in the previous one. can I create a name.surname.json file that includes the events captured by this rule?
Thank you
jk
Alexander Bohorquez
Jul 6, 2023, 10:01:32 AM7/6/23
to Wazuh mailing list
Hello Alfonso,
Thank you for using Wazuh!
I see that you are trying to create custom rules related to windows events. Windows events are processed with a decoder called "windows_eventchannel" and this is embedded inside Wazuh's code. I mention this because I see that you are using the "decoded_as > JSON" option and in this case it would not be necessary to add such an option. Using the "If_group > windows_security" option would be enough to generate the alert.
What I would recommend is to identify based on which rule you want to generate an extra alert. Could you give me more information about your requirement so I can help you?
I would need to know under what condition you want this new rule to be triggered. For example:
If an event is generated with rule ID 80300 and the user in the field "win.eventdata.targetUserName" is "Adrian" I want another alert to be generated.
With this information I could explain the steps to do it. I take this opportunity to leave you information on how to create custom rules:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules
Thank you for using Wazuh!
I see that you are trying to create custom rules related to windows events. Windows events are processed with a decoder called "windows_eventchannel" and this is embedded inside Wazuh's code. I mention this because I see that you are using the "decoded_as > JSON" option and in this case it would not be necessary to add such an option. Using the "If_group > windows_security" option would be enough to generate the alert.
What I would recommend is to identify based on which rule you want to generate an extra alert. Could you give me more information about your requirement so I can help you?
I would need to know under what condition you want this new rule to be triggered. For example:
If an event is generated with rule ID 80300 and the user in the field "win.eventdata.targetUserName" is "Adrian" I want another alert to be generated.
With this information I could explain the steps to do it. I take this opportunity to leave you information on how to create custom rules:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules
I look forward to your comments!
Jk
Jul 7, 2023, 4:03:34 AM7/7/23
to Wazuh mailing list
Thank you for your answer,
I have deepened the decoders and the ruels and now I have a clearer functioning. Let me explain my situation: I currently have a windows domain controller sending security related logs to Wazuh. Wazuh already has a 0580-win-security_rules.xml rule and decoder to capture these events and I see everything being captured in the default /var/ossec/logs/alerts.json file. Of this multitude of events I would like to filter some, a subcategory of windows security events (a subpart) and create an alert_custom.json file. For example an event looks like this:
"timestamp": "2023-07-06T12:53:41.257+0000",
"rules": {
"levels": 3,
"description": "Windows User Logoff.",
"id": "60137",
"firedtimes": 146,
"mail": false,
"groups": [
"windows",
"windows_security"
],
"gdpr": [
"IV_32.2"
],
"hipaa": [
"164.312.b"
],
"nist_800_53": [
"AC.7",
"AU.14"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"agent": {
"id": "001",
"name": "W2019S-SIE-DC01",
"ip": "10.0.6.30"
},
"managers": {
"name": "wazuh-server"
},
"id": "1688648021.198507493",
"decoders": {
"name": "windows_eventchannel"
},
"date": {
"win": {
"system": {
"providerName": "Microsoft-Windows-Security-Auditing",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"eventID": "4634",
"version": "0",
"level": "0",
"tasks": "12545",
"opcode": "0",
"keywords": "0x8020000000000000",
"systemTime": "2023-07-06T12:49:40.381476200Z",
"eventRecordID": "11597720",
"processID": "776",
"threadID": "2380",
"channel": "Security",
"computer": "W2019S-SIE-DC01.domainxxx.local",
"severityValue": "AUDIT_SUCCESS",
"message": "\"An account has been disconnected.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3695727019-3691295661-1291628153-1118\r \n\tAccount name:\t\tmario.rossi\r\n\tAccount domain:\t\tdomainname\r\n\tLogin ID:\t\t0x61B3209C\r\n\r\nLogin type:\t\ t\t3\r\n\r\nThis event is generated when a login session is dropped. It can be positively correlated with a login event through the Login ID value. Login IDs are unique only across restarts on the same computer.\""
},
"eventdata": {
"targetUserSid": "S-1-5-21-3695727019-3691295661-1291628153-1118",
"targetUserName": "Mario.Rossi",
"targetDomainName": "DomainXXX",
"targetLogonId": "0x61b3209c",
"logonType": "3"
}
}
},
"location": "EventChannel"
}
I have deepened the decoders and the ruels and now I have a clearer functioning. Let me explain my situation: I currently have a windows domain controller sending security related logs to Wazuh. Wazuh already has a 0580-win-security_rules.xml rule and decoder to capture these events and I see everything being captured in the default /var/ossec/logs/alerts.json file. Of this multitude of events I would like to filter some, a subcategory of windows security events (a subpart) and create an alert_custom.json file. For example an event looks like this:
"timestamp": "2023-07-06T12:53:41.257+0000",
"rules": {
"levels": 3,
"description": "Windows User Logoff.",
"id": "60137",
"firedtimes": 146,
"mail": false,
"groups": [
"windows",
"windows_security"
],
"gdpr": [
"IV_32.2"
],
"hipaa": [
"164.312.b"
],
"nist_800_53": [
"AC.7",
"AU.14"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"agent": {
"id": "001",
"name": "W2019S-SIE-DC01",
"ip": "10.0.6.30"
},
"managers": {
"name": "wazuh-server"
},
"id": "1688648021.198507493",
"decoders": {
"name": "windows_eventchannel"
},
"date": {
"win": {
"system": {
"providerName": "Microsoft-Windows-Security-Auditing",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"eventID": "4634",
"version": "0",
"level": "0",
"tasks": "12545",
"opcode": "0",
"keywords": "0x8020000000000000",
"systemTime": "2023-07-06T12:49:40.381476200Z",
"eventRecordID": "11597720",
"processID": "776",
"threadID": "2380",
"channel": "Security",
"computer": "W2019S-SIE-DC01.domainxxx.local",
"severityValue": "AUDIT_SUCCESS",
"message": "\"An account has been disconnected.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3695727019-3691295661-1291628153-1118\r \n\tAccount name:\t\tmario.rossi\r\n\tAccount domain:\t\tdomainname\r\n\tLogin ID:\t\t0x61B3209C\r\n\r\nLogin type:\t\ t\t3\r\n\r\nThis event is generated when a login session is dropped. It can be positively correlated with a login event through the Login ID value. Login IDs are unique only across restarts on the same computer.\""
},
"eventdata": {
"targetUserSid": "S-1-5-21-3695727019-3691295661-1291628153-1118",
"targetUserName": "Mario.Rossi",
"targetDomainName": "DomainXXX",
"targetLogonId": "0x61b3209c",
"logonType": "3"
}
}
},
"location": "EventChannel"
}
which concerns the logoff action of the user Mario Rossi. For example, I would like my custom_alert.json file to capture only Mario Rossi's logoffs and logons.
Is this possible?
Thank you
jk
Is this possible?
Thank you
jk
Reply all
Reply to author
Forward
0 new messages