Rule for Monitoring WIndows Domain Admin Modifications
736 views
Skip to first unread message
Kevin Innerst
Mar 10, 2022, 1:09:56 PM3/10/22
to Wazuh mailing list
Hello,
I am trying to create a rule that will send an email alert whenever a user is added to the Domain Admins group in AD. Below is the one I have been trying to test with but it is not working. Any idea on what I am doing wrong?
<group name="Windows AD Monitoring">
<rule id="100049" level="12">
<field name="win.system.eventID">^4728$</field>
<field name="win.eventdata.targetUserName">^Domain Admins$</field>
<options>alert_by_email</options>
<description>Domain Admin Permissions Added</description>
</rule>
</group>
<rule id="100049" level="12">
<field name="win.system.eventID">^4728$</field>
<field name="win.eventdata.targetUserName">^Domain Admins$</field>
<options>alert_by_email</options>
<description>Domain Admin Permissions Added</description>
</rule>
</group>
Christian Borla
Mar 10, 2022, 2:15:45 PM3/10/22
to Wazuh mailing list
Hello keinnerst
I hope you are doing fine!
I'm not sure if the issue is rule doesn't create the alert or it doesn't send the email.
I was looking for event id 4728 examples, and I can't find 'targetUserName'. I wonder if you have an example log of this event.
Event Details for Event ID: 4728
A member was added to a security-enabled global group.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x50B79DA
Member:
Security ID: TESTLAB\Temp
Account Name: CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET
Group:
Security ID: TESTLAB\Domain Admins
Group Name: Domain Admins
Group Domain: TESTLAB
To trigger an alert you should find the 4728 windows event in manager side into /var/ossec/logs/archive/archives.json. If archives.json doesn't exist set following config and restart the manager.
into ossec.conf manager side enable it
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then look for the event that should trigger this rule in /var/ossec/logs/archive/archives.json. It's possible test the rule with /var/ossec/bin/wazuh-logtest
Rule configuration looks good, email configuration too. Maybe updating line <field name="win.eventdata.targetUserName">^Domain Admins$</field> to <field name="win.eventdata.groupName">^Domain Admins$</field> will fix it, but I'm not sure.
Please check archives.json file and share any example log.
let me know if this information is useful to you.
Regards.
I hope you are doing fine!
I'm not sure if the issue is rule doesn't create the alert or it doesn't send the email.
I was looking for event id 4728 examples, and I can't find 'targetUserName'. I wonder if you have an example log of this event.
Event Details for Event ID: 4728
A member was added to a security-enabled global group.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x50B79DA
Member:
Security ID: TESTLAB\Temp
Account Name: CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET
Group:
Security ID: TESTLAB\Domain Admins
Group Name: Domain Admins
Group Domain: TESTLAB
To trigger an alert you should find the 4728 windows event in manager side into /var/ossec/logs/archive/archives.json. If archives.json doesn't exist set following config and restart the manager.
into ossec.conf manager side enable it
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then look for the event that should trigger this rule in /var/ossec/logs/archive/archives.json. It's possible test the rule with /var/ossec/bin/wazuh-logtest
Rule configuration looks good, email configuration too. Maybe updating line <field name="win.eventdata.targetUserName">^Domain Admins$</field> to <field name="win.eventdata.groupName">^Domain Admins$</field> will fix it, but I'm not sure.
Please check archives.json file and share any example log.
let me know if this information is useful to you.
Regards.
Kevin Innerst
Mar 14, 2022, 8:30:25 AM3/14/22
to Wazuh mailing list
I got it fixed. Thanks for your help. I was editing the wrong ruleset that is no longer used.
Reply all
Reply to author
Forward
0 new messages