Hi Agron,
The alerts you're receiving from Wazuh with the provided log entries indicate a specific pattern :
data.win.eventdata.processName: This field shows the process name involved in the event. In this case, it's C:\Windows\System32\services.exe, indicating the Windows system services process.
data.win.eventdata.logonProcessName: This field indicates the name of the process that handles the logon event. It's Advapi, which refers to the Advapi32.dll library, responsible for advanced Windows security and authentication.
data.win.eventdata.logonType: This field specifies the type of logon that occurred. The value 5 corresponds to a service logon.
data.win.eventdata.subjectUserSid: This field provides the Security Identifier (SID) of the subject user. The value S-1-5-18 corresponds to the Local System account.
data.win.system.eventID: This field represents the event ID of the Windows event log entry. The value 4624 corresponds to a successful logon event.
Based on the provided information, it seems that Wazuh is configured to monitor successful logon events (Event ID 4624) involving the services.exe process (handled by Advapi logon process) with a logon type of 5 (service logon), where the logon was performed by the Local System account (S-1-5-18).
These alerts are part of your security monitoring strategy to keep track of legitimate logon activities involving system services. The purpose of such alerts is to ensure that you're aware of activities involving critical system components and that you can detect any anomalies or unauthorized logon attempts that might involve manipulating system services.
If these alerts are consistently identical and expected, it could mean that the system services are performing their normal operations without any suspicious activity. However, if you notice any unexpected changes or irregularities in these patterns, it's important to investigate further to ensure the security and stability of your system.
The wazuh manager generates an alert every time an event, collected by one of the agents, matches a rule with a priority level higher than a predefined threshold (3 by default).
To know more about how to collect Windows logs using wazuh please refer to
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.htmlTo know more about Windows logon events please refer to
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter5Regards,
Stuti Gupta