Regarding 4663 event audit success alert not generating issue .
smtpche...@gmail.com
Hello Folks,
-> File Integrity monitoring and windows security policy alerts 4663 not generating this particular alerts, i followed the below links .
-> https://blog.wazuh.com/file-integrity-monitoring-windows-user-groups/.
-> Except 4663 alerts all the event if i modified any content means it will sending the alerts to the manager machine.
-> In windows agent the added in the ossec.configuration event id 4663.
-> Please give me a suggestion for fixing this 4663 audit success alert event.
Thanks and regards,
S.jagannathan.
jesus.g...@wazuh.com
smtpche...@gmail.com
jesus.g...@wazuh.com
Hello again @smtpchecking02,
After some reviewing of the article, it’s mainly outdated. The paths that Joe is talking about have been changed, the decoders/rules have been changed too,
so there is no need to follow the article as it.
Now custom rules should be added in /var/ossec/etc/rules/local_rules.xml, and custom decoders should be added in /var/ossec/etc/decoders/local_decoder.xml. On the other hand,
the default ruleset is located at /var/ossec/ruleset. Useful docs about it: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html.
Regarding FIM capabilities, Wazuh has evolved a lot, now our FIM engine is slightly different and better at this moment. We have improved FIM on multiple ways,
now you can take advantage of whodata and realtime features.
We have a useful article located at https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-windows.html where we are talking about who-data in Windows.
The who-data feature uses Windows audit policies combined with your syscheck configuration, this way you can know about the user who did a certain action in your monitored files.
Example:
<syscheck>
<directories check_all="yes" whodata="yes">C:\Windows\System32\drivers\etc</directories>
</syscheck>
Now you can track most actions occurred in your monitored directories and you’ll have all-in-one alerts for FIM.
I’ve created a rule in /var/ossec/etc/rules/local_rules.xml in order to verify the sample log:
<group name="syscheck,">
<rule id="90015" level="15">
<if_sid>18104</if_sid>
<match>Accesses: %%4416</match>
<description>Windows User attempted to access an object</description>
</rule>
</group>
/var/ossec/bin/ossec-logtest
2018/12/05 08:39:36 ossec-testrule: INFO: Started (pid: 5864).
ossec-testrule: Type one log per line.
2016 Apr 26 19:24:39 WinEvtLog: Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-UENN0U6R5SF: An attempt was made to access an object. Subject: Security ID: S-1-5-21-2910110503-590998239-2551655963-1006 Account Name: Jtest Account Domain: WIN-UENN0U6R5SF Logon ID: 0xef8f7ee Object: Object Server: Security Object Type: File Object Name: C:\tmp\bank_information.txt Handle ID: 0x134 Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\notepad.exe Access Request Information: Accesses: %%4416 Access Mask: 0x1
[...]
**Phase 3: Completed filtering (rules).
Rule id: '90015'
Level: '15'
Description: 'Windows User attempted to access an object'
**Alert to be generated.
For your use case you should follow the blog post you mentioned only for configuring your Windows policies, the article explains that fine. Then, for the Wazuh side, my suggestion is to only add that rule and restart the Wazuh manager. Also remember that you must add your desired directories on the agent side configuration (using its ossec.conf or using our group capabilities).
vi /var/ossec/etc/rules/local_rules.xml
systemctl restart wazuh-manager
How to edit the configuration for your agent:
- Using centralized configuration (groups): https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#agent-groups
- Modify
ossec.confon the agent side: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html
If you choose groups, the agent will be restarted after a while. If you modify the agent’s ossec.conf, you must restart it as follow:
systemctl restart wazuh-agent
I hope it helps.
Kind regards,
Jesús
smtpche...@gmail.com
On Wednesday, December 5, 2018 at 8:00:35 PM UTC+5:30, smtpche...@gmail.com wrote:
-> Useful docs about it: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html. I followed this document only .
jesus.g...@wazuh.com
Hello again @smtpchecking02,
Well, that’s the name that Joe put on the blog post. But the event from the blog post has been tested using the rule that I
shared with you as you can see in my last message. Try to filter using rule.id instead of a simple string or name.
Also, I tried to explain a bit how FIM has been improved and how who-data helps you to check users and groups regarding FIM events and I provided you a working rule.
My explanation was written to share all our recently added improvements and capabilities, older Wazuh versions had less information regarding FIM. As you can see in my logtest
output, the event fires my rule and shows Description: 'Windows User attempted to access an object'
Regards
smtpche...@gmail.com
smtpche...@gmail.com
Hello Folks,-> I created the folder under the directory of local disk c directory in windows agent machine , under the folder i created the text file those text file i modified any thing means alert should generate the ubuntu manager machine , but audit-success 4663 alerts not getting.
-> I attached what rule id i am not getting the alert , please give me a solution for fixing this alert issue.
