How to hide Windows Security Event ID 4656

411 views
Skip to first unread message

Jacky Qin

unread,
Apr 19, 2019, 3:53:55 AM4/19/19
to Wazuh mailing list
Hi There,

There are a lot of alerts in my wazuh 3.2.1.

181530.jpg 

18153.jpg



As shown in the pictures, these alerts are logs for Windows Security Event ID 4656.I don't want the logs of these 4656 events to appear in the wazuh server.Or, I don't want the agents to collect it.How do I need to operate?

Best regards,

Jacky Qin


jesus.g...@wazuh.com

unread,
Apr 22, 2019, 5:50:01 AM4/22/19
to Wazuh mailing list

Hi Jacky,

We can help here. There are several ways to hide an event.

The alerts are being generated by this rule (0220-msauth_rules.xml):

<rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
  <if_matched_sid>18105</if_matched_sid>
  <same_source_ip />
  <description>Multiple Windows audit failure events.</description>
  <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>

a) Create a children rule with level 0. Since level 0 rules don’t generate alerts, it should be enough.

Edit the file /var/ossec/etc/rules/local_rules.xml, then add this new rule:

<rule id="100002" level="0">
   <if_sid>18153</if_sid>
   <description>Ignored rule</description>
</rule>
  • if_sid means if a rule with a specific ID is fired, then…
  • level="0" means it won’t generate an alert but it’s more important than the parent rule (level 0 is the highest level but it doesn’t generate an alert)

My local_rules.xml looks like this:

<group name="local,syslog,sshd,">

  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100002" level="0">
     <if_sid>18153</if_sid>
     <description>Ignored rule</description>
  </rule>

</group>

Now restart the Wazuh manager:

systemctl restart wazuh-manager

b) Drop event at Logstash level:

Edit the file /etc/logstash/conf.d/01-wazuh.conf, then add this filter:

filter {
  if [rule][id] == "18153" {
    drop {}
  }  
}

Now restart Logstash:

systemctl restart logstash

Note: this modification must be done on all the Logstash instances of your environment.

Brief summary:

  • Option a adds a rule for ignoring the rule that is generating the events we want to ignore.
  • Option b is a different way to achieve this task, ignoring events at Logstash level.

Both options are valid and you may want to apply just one of them.

Best regards,
Jesús

Jacky Qin

unread,
Apr 23, 2019, 5:41:52 AM4/23/19
to Wazuh mailing list
Hi Jesús,

Thank you very much for your reply, it has helped me a lot, and I can make better use of wazuh.

Best regards,
Jacky

在 2019年4月22日星期一 UTC+8下午5:50:01,jesus.g...@wazuh.com写道:
Reply all
Reply to author
Forward
0 new messages