Rule for NTLM Eventchannel doesn't work
Daniel
"
<agent_config>
<localfile>
<location>Microsoft-Windows-NTLM/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
"
I also added the following rules to Local_rules. Despite the rule, I can't find a single entry under wazu-alerts-*. I have now activated wazuh-archives-*. And I'm wondering why the rule isn't working.
The rules are defined as follows:
"
<group name="windows,ntlm,local">
<!-- Kanal-Gruppierung -->
<rule id="110002" level="0">
<if_sid>60000</if_sid>
<field name="win.system.channel">^Microsoft-Windows-NTLM/Operational$</field>
<description>Group: Microsoft-Windows-NTLM/Operational</description>
</rule>
<rule id="110003" level="10">
<if_sid>110002</if_sid>
<field name="win.system.eventID">^8004$</field>
<field name="win.system.providerName">^Microsoft-Windows-Security-Netlogon$</field>
<description>NTLM authentication to this domain controller (8004)</description>
<group>windows,ntlm,authentication,local</group>
</rule>
</group>
"
To log the following in wazuh-alerts-*:
"
{
"win": {
"system": {
"providerName": "Microsoft-Windows-Security-Netlogon",
"providerGuid": "{e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc}",
"eventID": "8004",
"version": "0",
"level": "4",
"task": "2",
"opcode": "0",
"keywords": "0x8000000000000000",
"systemTime": "2025-10-23T12:29:31.378930100Z",
"eventRecordID": "922682",
"processID": "656",
"threadID": "10888",
"channel": "Microsoft-Windows-NTLM/Operational",
"computer": "DC-1.intern.local",
"severityValue": "INFORMATION",
"message": "\"Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.\r\nSecure Channel name: Server-1\r\nUser name: User-1\r\nDomain name: INTERNLOCAL\r\nWorkstation name: Computer-1\r\nSecure Channel type: 2\r\n\r\nAudit NTLM authentication requests within the domain INTERNLOCAL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.\r\n\r\nIf you want to allow NTLM authentication requests in the domain INTERNLOCAL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.\r\n\r\nIf you want to allow NTLM authentication requests to specific servers in the domain INTERNLOCAL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain INTERNLOCAL to which clients are allowed to use NTLM authentication.\""
},
"eventdata": {
"sChannelName": "Server-1",
"userName": "User-1",
"domainName": "INTERNLOCAL",
"workstationName": "Computer-1",
"sChannelType": "2"
}
}
}
"
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Netlogon","providerGuid":"{e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc}","eventID":"8004","version":"0","level":"4","task":"2","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-10-23T12:29:31.378930100Z","eventRecordID":"922682","processID":"656","threadID":"10888","channel":"Microsoft-Windows-NTLM/Operational","computer":"DC-1.intern.local","severityValue":"INFORMATION","message":"\"Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.\r\nSecure Channel name: Server-1\r\nUser name: User-1\r\nDomain name: INTERNLOCAL\r\nWorkstation name: Computer-1\r\nSecure Channel type: 2\r\n\r\nAudit NTLM authentication requests within the domain INTERNLOCAL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.\r\n\r\nIf you want to allow NTLM authentication requests in the domain INTERNLOCAL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.\r\n\r\nIf you want to allow NTLM authentication requests to specific servers in the domain INTERNLOCAL,
set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers,
and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain INTERNLOCAL to which clients are allowed to use NTLM authentication.\""},"eventdata":{"sChannelName":"Server-1","userName":"User-1","domainName":"INTERNLOCAL","workstationName":"Computer-1","sChannelType":"2"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.domainName: 'INTERNLOCAL'
win.eventdata.sChannelName: 'Server-1'
win.eventdata.sChannelType: '2'
win.eventdata.userName: 'User-1'
win.eventdata.workstationName: 'Computer-1'
win.system.channel: 'Microsoft-Windows-NTLM/Operational'
win.system.computer: 'DC-1.intern.local'
win.system.eventID: '8004'
win.system.eventRecordID: '922682'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: Server-1
User name: User-1
Domain name: INTERNLOCAL
Workstation name: Computer-1
Secure Channel type: 2
Audit NTLM authentication requests within the domain INTERNLOCAL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.
If you want to allow NTLM authentication requests in the domain INTERNLOCAL, set
the security policy Network Security: Restrict NTLM: NTLM authentication in this
domain to Disabled.
If you want to allow NTLM authentication requests to specific servers in the domain INTERNLOCAL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to
domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain INTERNLOCAL to which clients are allowed to use NTLM authentication."'
win.system.opcode: '0'
win.system.processID: '656'
win.system.providerGuid: '{e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc}'
win.system.providerName: 'Microsoft-Windows-Security-Netlogon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2025-10-23T12:29:31.378930100Z'
win.system.task: '2'
win.system.threadID: '10888'
win.system.version: '0'
"
Md. Nazmur Sakib
Hi Daniel,
It seems to me the rules are not correct. Also, testing Windows eventchannel log for writing rules can be a bit complicated, as the ruletest tool doesn’t work the same way for Windows event channel as it does for other logs.
To know which default rule is triggering, you need to test the log first in wazuh-logtest or ruleTest.
By default, the logtest is not able to test the logs that come via the event channel. However, there is a workaround: Back up the file /var/ossec/ruleset/rules/0575-win-base_rules.xml. Modify the rule 60000 inside that file, removing the category and changing the
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
decoded_as to json.
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest.
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
Check this document for writing custom rules:
Rules Syntax
You can also check this document, which is a good example for writing a custom Windows rule.
The log you have shared is matching with rule 60009.
So you need to use 60009 as the parent ID in your rule.
But I will suggest you use <if_group>windows</if_group> for windows custom rules to make which makes creating windows custom rules much easier.
Let me know if this works for you.