No Phase 3
890 views
Skip to first unread message
Tom Powers
Feb 22, 2022, 1:33:22 PM2/22/22
to Wazuh mailing list
Hello Wazuh folks!!!
So I'm running Wazuh 4.2.5 and doing a log test against a windows log EventID 4741.
Logtest decodes it just fine, but hangs at trying to match a rule. I'll post the output below.
All other logs seem to be parsing fine, but I'm looking to setup a new rule for this event and I'm getting no hits. I took my rule out completely to see what Wazuh rule it normally tagged on , Expecting 60103 like others I've done, but it never gets to phase 3.
All insight is appreciated
root@wazuh:~# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.accountExpires: '%%1794'
win.eventdata.logonHours: '%%1793'
win.eventdata.newUacValue: '0x85'
win.eventdata.oldUacValue: '0x0'
win.eventdata.passwordLastSet: '%%1794'
win.eventdata.primaryGroupId: '515'
win.eventdata.samAccountName: 'FAKEPC2$'
win.eventdata.subjectDomainName: 'SDTEST'
win.eventdata.subjectLogonId: '0xa827332'
win.eventdata.subjectUserName: 'administrator'
win.eventdata.subjectUserSid: 'S-1-5-21-3076146750-39566917-1392961547-500'
win.eventdata.targetDomainName: 'SDTEST'
win.eventdata.targetSid: 'S-1-5-21-3076146750-39566917-1392961547-1114'
win.eventdata.targetUserName: 'FAKEPC2$'
win.eventdata.userAccountControl: ' %%2080 %%2082 %%2087'
win.system.channel: 'Security'
win.system.computer: 'T2-TEST-DC.SDTEST.INTERNAL'
win.system.eventID: '4741'
win.system.eventRecordID: '3256222'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A computer account was created.
Subject:
Security ID: S-1-5-21-3076146750-39566917-1392961547-500
Account Name: administrator
Account Domain: SDTEST
Logon ID: 0xA827332
New Computer Account:
Security ID: S-1-5-21-3076146750-39566917-1392961547-1114
Account Name: FAKEPC2$
Account Domain: SDTEST
Attributes:
SAM Account Name: FAKEPC2$
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 515
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x85
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Workstation Trust Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
DNS Host Name: -
Service Principal Names: -
Additional Information:
Privileges -"'
win.system.opcode: '0'
win.system.processID: '644'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2022-02-22T18:14:30.082254900Z'
win.system.task: '13825'
win.system.threadID: '1272'
win.system.version: '0'
Starting wazuh-logtest v4.2.5
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.accountExpires: '%%1794'
win.eventdata.logonHours: '%%1793'
win.eventdata.newUacValue: '0x85'
win.eventdata.oldUacValue: '0x0'
win.eventdata.passwordLastSet: '%%1794'
win.eventdata.primaryGroupId: '515'
win.eventdata.samAccountName: 'FAKEPC2$'
win.eventdata.subjectDomainName: 'SDTEST'
win.eventdata.subjectLogonId: '0xa827332'
win.eventdata.subjectUserName: 'administrator'
win.eventdata.subjectUserSid: 'S-1-5-21-3076146750-39566917-1392961547-500'
win.eventdata.targetDomainName: 'SDTEST'
win.eventdata.targetSid: 'S-1-5-21-3076146750-39566917-1392961547-1114'
win.eventdata.targetUserName: 'FAKEPC2$'
win.eventdata.userAccountControl: ' %%2080 %%2082 %%2087'
win.system.channel: 'Security'
win.system.computer: 'T2-TEST-DC.SDTEST.INTERNAL'
win.system.eventID: '4741'
win.system.eventRecordID: '3256222'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A computer account was created.
Subject:
Security ID: S-1-5-21-3076146750-39566917-1392961547-500
Account Name: administrator
Account Domain: SDTEST
Logon ID: 0xA827332
New Computer Account:
Security ID: S-1-5-21-3076146750-39566917-1392961547-1114
Account Name: FAKEPC2$
Account Domain: SDTEST
Attributes:
SAM Account Name: FAKEPC2$
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 515
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x85
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Workstation Trust Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
DNS Host Name: -
Service Principal Names: -
Additional Information:
Privileges -"'
win.system.opcode: '0'
win.system.processID: '644'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2022-02-22T18:14:30.082254900Z'
win.system.task: '13825'
win.system.threadID: '1272'
win.system.version: '0'
Tom Powers
Feb 22, 2022, 1:38:25 PM2/22/22
to Wazuh mailing list
Correction... I expected it to match rule 60121
Sandra Ocando
Feb 22, 2022, 2:30:47 PM2/22/22
to Tom Powers, Wazuh mailing list
Hello Tom,Currently, there's no way to directly test Windows EventChannel logs using
To test your logs, edit
wazuh-logtest as these events are interpreted using implicit decoders: https://github.com/wazuh/wazuh/issues/2765.However, you can test your logs by temporarily modifying the Windows EventChannel parent rule. Be cautious in production environments, consider using a test environment. To test your logs, edit
/var/ossec/ruleset/rules/0575-win-base_rules.xml and modify rule 60000 the following way:- - Change
<decoded_as>fromwindows_eventchanneltojson - - Remove
<category>ossec</category>
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>Once the rule has been modified, you can use
/var/ossec/bin/wazuh-logtest to test your log. For example:# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4741","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-02-22T18:14:30.082254900Z","eventRecordID":"3256222","processID":"644","threadID":"1272","channel":"Security","computer":"T2-TEST-DC.SDTEST.INTERNAL","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tSDTEST\r\n\tLogon ID:\t\t0xA827332\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-3076146750-39566917-1392961547-1114\r\n\tAccount Name:\t\tFAKEPC2$\r\n\tAccount Domain:\t\tSDTEST\r\n\r\nAttributes:\r\n\tSAM Account Name:\tFAKEPC2$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x85\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"FAKEPC2$","targetDomainName":"SDTEST","targetSid":"S-1-5-21-3076146750-39566917-1392961547-1114","subjectUserSid":"S-1-5-21-3076146750-39566917-1392961547-500","subjectUserName":"administrator","subjectDomainName":"SDTEST","subjectLogonId":"0xa827332","samAccountName":"FAKEPC2$","passwordLastSet":"%%1794","accountExpires":"%%1794","primaryGroupId":"515","oldUacValue":"0x0","newUacValue":"0x85","userAccountControl":" %%2080 %%2082 %%2087","logonHours":"%%1793"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.accountExpires: '%%1794'
win.eventdata.logonHours: '%%1793'
win.eventdata.newUacValue: '0x85'
win.eventdata.oldUacValue: '0x0'
win.eventdata.passwordLastSet: '%%1794'
win.eventdata.primaryGroupId: '515'
win.eventdata.samAccountName: 'FAKEPC2$'
win.eventdata.subjectDomainName: 'SDTEST'
win.eventdata.subjectLogonId: '0xa827332'
win.eventdata.subjectUserName: 'administrator'
win.eventdata.subjectUserSid: 'S-1-5-21-3076146750-39566917-1392961547-500'
win.eventdata.targetDomainName: 'SDTEST'
win.eventdata.targetSid: 'S-1-5-21-3076146750-39566917-1392961547-1114'
win.eventdata.targetUserName: 'FAKEPC2$'
win.eventdata.userAccountControl: ' %%2080 %%2082 %%2087'
win.system.channel: 'Security'
win.system.computer: 'T2-TEST-DC.SDTEST.INTERNAL'
win.system.eventID: '4741'
win.system.eventRecordID: '3256222'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A computer account was created.
Subject:
Security ID: S-1-5-21-3076146750-39566917-1392961547-500
Account Name: administrator
Account Domain: SDTEST
Logon ID: 0xA827332
New Computer Account:
Security ID: S-1-5-21-3076146750-39566917-1392961547-1114
Account Name: FAKEPC2$
Account Domain: SDTEST
Attributes:
SAM Account Name: FAKEPC2$
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 515
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x85
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Workstation Trust Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
DNS Host Name: -
Service Principal Names: -
Additional Information:
Privileges -"'
win.system.opcode: '0'
win.system.processID: '644'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2022-02-22T18:14:30.082254900Z'
win.system.task: '13825'
win.system.threadID: '1272'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60121'
level: '5'
description: 'Computer account added/changed/deleted.'
groups: '['windows', 'windows_security', 'account_changed']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
gpg13: '['7.10']'
hipaa: '['164.312.a.2.I', '164.312.a.2.II', '164.312.b']'
mail: 'False'
mitre.id: '['T1098', 'T1136', 'T1531']'
mitre.tactic: '['Persistence', 'Impact']'
mitre.technique: '['Account Manipulation', 'Create Account', 'Account Access Removal']'
nist_800_53: '['AC.2', 'AC.7', 'AU.14', 'IA.4']'
pci_dss: '['10.2.5', '8.1.2']'
tsc: '['CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.Once you've finished your tests, remember to modify rule
60000 to its original form to avoid interfering with the Wazuh manager functionality. Let us know if you have any questions.Best regards,
Sandra
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7156afd1-59e0-48d2-96b8-3b222953b82en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages