Custom Correlated Rules
787 views
Skip to first unread message
Caio Oliveira
Mar 16, 2021, 4:25:15 PM3/16/21
to Wazuh mailing list
Hi all,
I'm trying to build a correlated rule, but I've no idea how to do.
It's for windows event, event ID 4722, "An user account was enabled".
Wazuh has a default rule for that, but this events occurs together with 4720, "An user account was created".
I need a rule that fire just when the event 4720 don't occurs.
Do you have any ideia if it's possible?
Thanks
José Fernández
Mar 17, 2021, 7:18:08 AM3/17/21
to Wazuh mailing list
Hello Caio.ha,
I don't fully understand your question, could you explain a little more?
By the way, as I can see on rule definition https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0580-win-security_rules.xml#L98 the 60103 triggers when any of such events are logged by Windows (There is an OR clause instead of AND clause).
So, under my tests, if we generate a 4720 event the rule triggers. At the same time if we generate an isolated 4722 event the same rule triggers.
Maybe you want to perform more specific rules. In that case, you could write two new rules that inherit from 60103 and each one match one specific case (only 4720 or 4722).
Another case that comes to my mind could be that you want to mute 4722 when 4720 triggers or vice-versa but this case never happens in the current scenario.
I hope it helps I'm waiting for your answers!
I don't fully understand your question, could you explain a little more?
By the way, as I can see on rule definition https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0580-win-security_rules.xml#L98 the 60103 triggers when any of such events are logged by Windows (There is an OR clause instead of AND clause).
So, under my tests, if we generate a 4720 event the rule triggers. At the same time if we generate an isolated 4722 event the same rule triggers.
Maybe you want to perform more specific rules. In that case, you could write two new rules that inherit from 60103 and each one match one specific case (only 4720 or 4722).
Another case that comes to my mind could be that you want to mute 4722 when 4720 triggers or vice-versa but this case never happens in the current scenario.
I hope it helps I'm waiting for your answers!
Caio Oliveira
Mar 17, 2021, 4:08:22 PM3/17/21
to José Fernández, Wazuh mailing list
Hello Jose,
In my case, I need that the rule just trigger when a 4722 occurs without the 4720.
If they trigger together is irrelevant for me.
hehhee
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/a-GFYoOs3n0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af43dabe-d1b1-4e5b-85e0-bb3ab963e1a1n%40googlegroups.com.
José Fernández
Mar 23, 2021, 11:05:34 AM3/23/21
to Wazuh mailing list
Hello Caio.ha,
Sorry for the late reply, as I mentioned the 4722 event triggers the rule in any case:
- With 4720 previously triggered.
- Without 4720 previously triggered.
In this case, you don't have to worry to write a new rule.
PD: I have tested this matter with the command net user YOUR_TESTING_USER_ACCOUNT /active:yes if you wish to check yourself (Set active to yes or no). This command only launches 4722 events inside Windows event viewer (4722 on enable and 4725 on disable).
Take a look at the given screenshot (not 4720 event but the alert triggered).
If I'm not understanding you, please let me know all your requirements and a full explanation of what do you want and I will do my best to solve your problem.
Caio Oliveira
Mar 23, 2021, 5:52:34 PM3/23/21
to José Fernández, Wazuh mailing list
Hi José
I need to execute a rule action after this event, 4722.
But when a user is created, the event 4722 and 4720 occurs at the same time for the same users, and this action is valid.
I need to execute an action just when the 4722 occurs alone. I need to perfmon a rule that discards the event 4722 when it occurs together the event 4720.
It's A bit confusing. Hehehe
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ef1d351-4c9b-47b8-829d-ede390faa93an%40googlegroups.com.
José Fernández
Mar 29, 2021, 12:36:23 PM3/29/21
to Wazuh mailing list
Hello Caio.ha,
I have tested this solution, could you give a try?
Manager configuration required to trigger the active response command. Modify the ossec.conf as follow:
<command>
<name>windows-command</name>
<executable>script_launcher.cmd</executable>
</command>
<active-response>
<command>windows-command</command>
<location>local</location>
<rules_id>60109</rules_id>
</active-response>
Put this line inside a CMD script in C:\Program Files (x86)\ossec-agent\active-response\bin\script_launcher.cmd
Powershell.exe -executionpolicy Bypass -File "%cd%\active-response\bin\correlator.ps1"
This script perform your correlation on event viewer.
$events = Get-EventLog -LogName Security -InstanceId 4722,4720 -after (Get-Date).AddMinutes(-1) | Measure-Object -Line
if($events.Lines -eq 1){
# Do your stuff
}
Put it in the same folder as previous script and call it correlator.ps1.
Hope it helps you don't hesitate to ask us if you have any doubt.
I have tested this solution, could you give a try?
Manager configuration required to trigger the active response command. Modify the ossec.conf as follow:
<name>windows-command</name>
<executable>script_launcher.cmd</executable>
</command>
<active-response>
<command>windows-command</command>
<location>local</location>
<rules_id>60109</rules_id>
</active-response>
Put this line inside a CMD script in C:\Program Files (x86)\ossec-agent\active-response\bin\script_launcher.cmd
if($events.Lines -eq 1){
# Do your stuff
}
Hope it helps you don't hesitate to ask us if you have any doubt.
Caio Oliveira
Apr 1, 2021, 10:32:26 AM4/1/21
to José Fernández, Wazuh mailing list
Thanks
I think that this script will solve the problem.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7420e343-2c56-40e4-8e60-83b46b69136dn%40googlegroups.com.
José Fernández
Apr 5, 2021, 2:58:02 AM4/5/21
to Wazuh mailing list
I'm really glad to hear that!
Please don't hesitate to ask us if you have another problem or more doubts.
Regards.
Reply all
Reply to author
Forward
0 new messages