"Windows logon success" alerts (Advapi logon type 5)

7,146 views
Skip to first unread message

AgronM

unread,
Aug 7, 2023, 4:51:26 AM8/7/23
to Wazuh mailing list
Good morning everyone,

I'm trying to understand why "authentication success" alerts are being generated every couple minutes. 

The alerts are always identical and some of the log entries are:
  • data.win.eventdata.processName                      C:\\Windows\\System32\\services.exe
  • data.win.eventdata.logonProcessName                Advapi
  • data.win.eventdata.logonType                                5
  • data.win.eventdata.subjectUserSid                        S-1-5-18
  • data.win.system.eventID                                          4624
There are no log entries that help me identify the service that is triggering these alerts.

I would appreciate your help.

Best regards
Agron

Stuti Gupta

unread,
Aug 8, 2023, 12:12:06 AM8/8/23
to Wazuh mailing list
Hi Agron,

The alerts you're receiving from Wazuh with the provided log entries indicate a specific pattern :
data.win.eventdata.processName: This field shows the process name involved in the event. In this case, it's C:\Windows\System32\services.exe, indicating the Windows system services process.
data.win.eventdata.logonProcessName: This field indicates the name of the process that handles the logon event. It's Advapi, which refers to the Advapi32.dll library, responsible for advanced Windows security and authentication.
data.win.eventdata.logonType: This field specifies the type of logon that occurred. The value 5 corresponds to a service logon.
data.win.eventdata.subjectUserSid: This field provides the Security Identifier (SID) of the subject user. The value S-1-5-18 corresponds to the Local System account.
data.win.system.eventID: This field represents the event ID of the Windows event log entry. The value 4624 corresponds to a successful logon event.

Based on the provided information, it seems that Wazuh is configured to monitor successful logon events (Event ID 4624) involving the services.exe process (handled by Advapi logon process) with a logon type of 5 (service logon), where the logon was performed by the Local System account (S-1-5-18).

These alerts are part of your security monitoring strategy to keep track of legitimate logon activities involving system services. The purpose of such alerts is to ensure that you're aware of activities involving critical system components and that you can detect any anomalies or unauthorized logon attempts that might involve manipulating system services.
If these alerts are consistently identical and expected, it could mean that the system services are performing their normal operations without any suspicious activity. However, if you notice any unexpected changes or irregularities in these patterns, it's important to investigate further to ensure the security and stability of your system.
The wazuh manager generates an alert every time an event, collected by one of the agents, matches a rule with a priority level higher than a predefined threshold (3 by default).

To know more about how to collect Windows logs using wazuh please refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
To know more about Windows logon events please refer to https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter5

Regards,
Stuti Gupta

AgronM

unread,
Aug 8, 2023, 3:13:37 AM8/8/23
to Wazuh mailing list
Hello Stuti,

that's very helpful, thank you.
Reply all
Reply to author
Forward
0 new messages