Kerberos and NTLM logs
261 views
Skip to first unread message
Alejandro Gonzalez Martinez
Jun 2, 2023, 10:24:53 AM6/2/23
to Wazuh mailing list
Hello,
I have configured auditing of login events on a domain controller and in the event viewer I see events 4776, 4771 and 4768.
When I access Wazuh and search for these events, I don't see any. Do I have to configure something?
Thank you
I have configured auditing of login events on a domain controller and in the event viewer I see events 4776, 4771 and 4768.
When I access Wazuh and search for these events, I don't see any. Do I have to configure something?
Thank you
Pablo Ariel Gonzalez
Jun 2, 2023, 11:16:47 AM6/2/23
to Wazuh mailing list
Hi Alejandro,
In order to ingest the event viewer logs you have to configure sysmom on your computer if you have not already done so. In our blog there is an article to Using Wazuh to monitor Sysmon events and other focused on how to detect threats in AD but that could serve as a guide for the configuration you want to apply.
If you want more information or have any additional questions do not hesitate to write us.
If you want more information or have any additional questions do not hesitate to write us.
Thanks,
Alejandro Gonzalez Martinez
Jun 2, 2023, 1:35:52 PM6/2/23
to Wazuh mailing list
And does this have to be done for certain events? Because in wazuh I see the 4625 events generated on the member servers and client computers and I haven't installed sysmon.
Thanks.
Pablo Ariel Gonzalez
Jun 5, 2023, 10:01:36 PM6/5/23
to Wazuh mailing list
Hi Alejandro,
Sorry for the delay, I had not seen your reply. Let me check and confirm it for you.
Thanks,
Pablo Ariel Gonzalez
Jun 5, 2023, 10:36:39 PM6/5/23
to Wazuh mailing list
Hi Alejandro,
Sorry again for the delay. Regarding your query, Wazuh has a list of events that are identified by the existing default rules. Additional information can be found in the official documentation.
Reviewing the events you indicate (4776, 4771 and 4768) are not within the security category.
Reviewing the events you indicate (4776, 4771 and 4768) are not within the security category.
On the other hand, event 4625 is recognized. Therefore you can see it in Wazuh without any additional configuration.
In case there is no rule and decoder for the desired event, it will be necessary to create one so that wazuh can identify the event and manage it properly.
The wazuh documentation has detailed information on how to create and test a custom rule and an example of it.
Thanks,
Pablo Ariel Gonzalez
Jun 6, 2023, 10:13:53 AM6/6/23
to Wazuh mailing list
Hi Alejandro,
Perfect, if you have any further questions do not hesitate to write us again.
Thanks,
Reply all
Reply to author
Forward
0 new messages