Wazuh not detecting all 4769 events cont'd
55 views
Skip to first unread message
Dominik Steffan
Jul 30, 2024, 4:35:35 AM7/30/24
to Wazuh | Mailing List
Hi,
as previously noted by Jorge S, not all 4769 events show up in alerts, although visible in the archive log.
This is about collecting logs from a windows DC to alert possible kerberoasting attacks.
One possible distinction is the field data.win.eventdata.ipaddress which only seems to fire alerts with addresses ::1.
One possible distinction is the field data.win.eventdata.ipaddress which only seems to fire alerts with addresses ::1.
When doing a kerberoast attack, the logs show up in the DC eventvwr and the archive of wuzah, but no alert is fired, although rule 60106 should apply and it also does with tickets, requested by the DC itself.
So the main distinction seems to be the ipaddress field. See the two json logs attached, the first being from the DC itself which fires an alert as intended, and the second, which should fire an alert and also possibly has a malformed ipaddress field:
::ffff:10.0.0.16
4769 from the DC itself (rule fires):
```
{
"_index": "wazuh-alerts-4.x-2024.07.30",
"_id": "eendAZEBGiUL6XmJQ0ot",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"ip": "10.0.0.111",
"name": "enterprise-dc",
"id": "001"
},
"manager": {
"name": "enterprise-attacker"
},
"data": {
"win": {
"eventdata": {
"logonGuid": "{21635c90-f7a4-39ce-65ce-7c967d6d6e08}",
"targetUserName": "ENTERPRISE-DC$@ENTERPRISE.LOCAL",
"ticketOptions": "0x40810000",
"ipPort": "0",
"ipAddress": "::1",
"targetDomainName": "ENTERPRISE.LOCAL",
"requestTicketHash": "6wTwX8bToDxgWHGe6u47B98jz0BBV2QXtN299ud6ikg=",
"serviceSid": "S-1-5-21-3294798438-2719725478-2944407717-1002",
"serviceName": "ENTERPRISE-DC$",
"responseTicketHash": "BB4/W6Ca5j0pldLC0MYLkfw0JDHT1kC7rsiczCyY+E4=",
"ticketEncryptionType": "0x12",
"status": "0x0"
},
"system": {
"eventID": "4769",
"keywords": "0x8020000000000000",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": "\"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tENTERPRISE-DC$@ENTERPRISE.LOCAL\r\n\tAccount Domain:\t\tENTERPRISE.LOCAL\r\n\tLogon GUID:\t\t{21635c90-f7a4-39ce-65ce-7c967d6d6e08}\r\n\r\nService Information:\r\n\tService Name:\t\tENTERPRISE-DC$\r\n\tService ID:\t\tS-1-5-21-3294798438-2719725478-2944407717-1002\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nTicket information\r\n\tRequest ticket hash:\t\t6wTwX8bToDxgWHGe6u47B98jz0BBV2QXtN299ud6ikg=\r\n\tResponse ticket hash:\t\tBB4/W6Ca5j0pldLC0MYLkfw0JDHT1kC7rsiczCyY+E4=\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.\"",
"version": "1",
"systemTime": "2024-07-30T04:19:13.0621649Z",
"eventRecordID": "193197",
"threadID": "7280",
"computer": "enterprise-dc.enterprise.local",
"task": "14337",
"processID": "656",
"severityValue": "AUDIT_SUCCESS",
"providerName": "Microsoft-Windows-Security-Auditing"
}
}
},
"rule": {
"mail": false,
"level": 3,
"hipaa": [
"164.312.b"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "Windows logon success.",
"groups": [
"windows",
"windows_security",
"authentication_success"
],
"nist_800_53": [
"AC.7",
"AU.14"
],
"gdpr": [
"IV_32.2"
],
"firedtimes": 53,
"mitre": {
"technique": [
"Valid Accounts"
],
"id": [
"T1078"
],
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation",
"Initial Access"
]
},
"id": "60106",
"gpg13": [
"7.1",
"7.2"
]
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1722313154.6907422",
"timestamp": "2024-07-30T04:19:14.152+0000"
},
"fields": {
"timestamp": [
"2024-07-30T04:19:14.152Z"
]
},
"highlight": {
"data.win.system.eventID": [
"@opensearch-dashboards-highlighted-field@4769@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1722313154152
]
}
"_index": "wazuh-alerts-4.x-2024.07.30",
"_id": "eendAZEBGiUL6XmJQ0ot",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"ip": "10.0.0.111",
"name": "enterprise-dc",
"id": "001"
},
"manager": {
"name": "enterprise-attacker"
},
"data": {
"win": {
"eventdata": {
"logonGuid": "{21635c90-f7a4-39ce-65ce-7c967d6d6e08}",
"targetUserName": "ENTERPRISE-DC$@ENTERPRISE.LOCAL",
"ticketOptions": "0x40810000",
"ipPort": "0",
"ipAddress": "::1",
"targetDomainName": "ENTERPRISE.LOCAL",
"requestTicketHash": "6wTwX8bToDxgWHGe6u47B98jz0BBV2QXtN299ud6ikg=",
"serviceSid": "S-1-5-21-3294798438-2719725478-2944407717-1002",
"serviceName": "ENTERPRISE-DC$",
"responseTicketHash": "BB4/W6Ca5j0pldLC0MYLkfw0JDHT1kC7rsiczCyY+E4=",
"ticketEncryptionType": "0x12",
"status": "0x0"
},
"system": {
"eventID": "4769",
"keywords": "0x8020000000000000",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": "\"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tENTERPRISE-DC$@ENTERPRISE.LOCAL\r\n\tAccount Domain:\t\tENTERPRISE.LOCAL\r\n\tLogon GUID:\t\t{21635c90-f7a4-39ce-65ce-7c967d6d6e08}\r\n\r\nService Information:\r\n\tService Name:\t\tENTERPRISE-DC$\r\n\tService ID:\t\tS-1-5-21-3294798438-2719725478-2944407717-1002\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nTicket information\r\n\tRequest ticket hash:\t\t6wTwX8bToDxgWHGe6u47B98jz0BBV2QXtN299ud6ikg=\r\n\tResponse ticket hash:\t\tBB4/W6Ca5j0pldLC0MYLkfw0JDHT1kC7rsiczCyY+E4=\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.\"",
"version": "1",
"systemTime": "2024-07-30T04:19:13.0621649Z",
"eventRecordID": "193197",
"threadID": "7280",
"computer": "enterprise-dc.enterprise.local",
"task": "14337",
"processID": "656",
"severityValue": "AUDIT_SUCCESS",
"providerName": "Microsoft-Windows-Security-Auditing"
}
}
},
"rule": {
"mail": false,
"level": 3,
"hipaa": [
"164.312.b"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "Windows logon success.",
"groups": [
"windows",
"windows_security",
"authentication_success"
],
"nist_800_53": [
"AC.7",
"AU.14"
],
"gdpr": [
"IV_32.2"
],
"firedtimes": 53,
"mitre": {
"technique": [
"Valid Accounts"
],
"id": [
"T1078"
],
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation",
"Initial Access"
]
},
"id": "60106",
"gpg13": [
"7.1",
"7.2"
]
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1722313154.6907422",
"timestamp": "2024-07-30T04:19:14.152+0000"
},
"fields": {
"timestamp": [
"2024-07-30T04:19:14.152Z"
]
},
"highlight": {
"data.win.system.eventID": [
"@opensearch-dashboards-highlighted-field@4769@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1722313154152
]
}
```
4769 from an attacker (rule doesn't fire):
```
{
"_index": "wazuh-archives-4.x-2024.07.30",
"_id": "hul6ApEBGiUL6XmJPU8g",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.0.111",
"name": "enterprise-dc",
"id": "001"
},
"manager": {
"name": "enterprise-attacker"
},
"data": {
"win": {
"eventdata": {
"logonGuid": "{a0ed7a29-c95d-5178-40c4-c30faee9440b}",
"targetUserName": "Admini...@ENTERPRISE.LOCAL",
"ticketOptions": "0x40810000",
"ipPort": "53849",
"ipAddress": "::ffff:10.0.0.16",
"targetDomainName": "ENTERPRISE.LOCAL",
"requestTicketHash": "uoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=",
"serviceSid": "S-1-5-21-3294798438-2719725478-2944407717-1002",
"serviceName": "ENTERPRISE-DC$",
"responseTicketHash": "u8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=",
"ticketEncryptionType": "0x12",
"status": "0x0"
},
"system": {
"eventID": "4769",
"keywords": "0x8020000000000000",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": "\"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tAdmini...@ENTERPRISE.LOCAL\r\n\tAccount Domain:\t\tENTERPRISE.LOCAL\r\n\tLogon GUID:\t\t{a0ed7a29-c95d-5178-40c4-c30faee9440b}\r\n\r\nService Information:\r\n\tService Name:\t\tENTERPRISE-DC$\r\n\tService ID:\t\tS-1-5-21-3294798438-2719725478-2944407717-1002\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.0.0.16\r\n\tClient Port:\t\t53849\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nTicket information\r\n\tRequest ticket hash:\t\tuoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\r\n\tResponse ticket hash:\t\tu8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.\"",
"version": "1",
"systemTime": "2024-07-30T07:06:09.5951344Z",
"eventRecordID": "194708",
"threadID": "872",
"computer": "enterprise-dc.enterprise.local",
"task": "14337",
"processID": "656",
"severityValue": "AUDIT_SUCCESS",
"providerName": "Microsoft-Windows-Security-Auditing"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4769\",\"version\":\"1\",\"level\":\"0\",\"task\":\"14337\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-07-30T07:06:09.5951344Z\",\"eventRecordID\":\"194708\",\"processID\":\"656\",\"threadID\":\"872\",\"channel\":\"Security\",\"computer\":\"enterprise-dc.enterprise.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos service ticket was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tAdmini...@ENTERPRISE.LOCAL\\r\\n\\tAccount Domain:\\t\\tENTERPRISE.LOCAL\\r\\n\\tLogon GUID:\\t\\t{a0ed7a29-c95d-5178-40c4-c30faee9440b}\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tENTERPRISE-DC$\\r\\n\\tService ID:\\t\\tS-1-5-21-3294798438-2719725478-2944407717-1002\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:10.0.0.16\\r\\n\\tClient Port:\\t\\t53849\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810000\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tFailure Code:\\t\\t0x0\\r\\n\\tTransited Services:\\t-\\r\\n\\r\\nTicket information\\r\\n\\tRequest ticket hash:\\t\\tuoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\\r\\n\\tResponse ticket hash:\\t\\tu8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\\r\\n\\r\\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\\r\\n\\r\\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\\r\\n\\r\\nTicket options, encryption types, and failure codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"Admini...@ENTERPRISE.LOCAL\",\"targetDomainName\":\"ENTERPRISE.LOCAL\",\"serviceName\":\"ENTERPRISE-DC$\",\"serviceSid\":\"S-1-5-21-3294798438-2719725478-2944407717-1002\",\"ticketOptions\":\"0x40810000\",\"ticketEncryptionType\":\"0x12\",\"ipAddress\":\"::ffff:10.0.0.16\",\"ipPort\":\"53849\",\"status\":\"0x0\",\"logonGuid\":\"{a0ed7a29-c95d-5178-40c4-c30faee9440b}\",\"requestTicketHash\":\"uoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\",\"responseTicketHash\":\"u8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2024-07-30T07:06:10.244Z",
"location": "EventChannel",
"id": "1722323170.11319439",
"timestamp": "2024-07-30T07:06:10.244+0000"
},
"fields": {
"@timestamp": [
"2024-07-30T07:06:10.244Z"
],
"timestamp": [
"2024-07-30T07:06:10.244Z"
]
},
"highlight": {
"data.win.system.eventID": [
"@opensearch-dashboards-highlighted-field@4769@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1722323170244
]
}
"_index": "wazuh-archives-4.x-2024.07.30",
"_id": "hul6ApEBGiUL6XmJPU8g",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.0.111",
"name": "enterprise-dc",
"id": "001"
},
"manager": {
"name": "enterprise-attacker"
},
"data": {
"win": {
"eventdata": {
"logonGuid": "{a0ed7a29-c95d-5178-40c4-c30faee9440b}",
"targetUserName": "Admini...@ENTERPRISE.LOCAL",
"ticketOptions": "0x40810000",
"ipPort": "53849",
"ipAddress": "::ffff:10.0.0.16",
"targetDomainName": "ENTERPRISE.LOCAL",
"requestTicketHash": "uoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=",
"serviceSid": "S-1-5-21-3294798438-2719725478-2944407717-1002",
"serviceName": "ENTERPRISE-DC$",
"responseTicketHash": "u8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=",
"ticketEncryptionType": "0x12",
"status": "0x0"
},
"system": {
"eventID": "4769",
"keywords": "0x8020000000000000",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": "\"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tAdmini...@ENTERPRISE.LOCAL\r\n\tAccount Domain:\t\tENTERPRISE.LOCAL\r\n\tLogon GUID:\t\t{a0ed7a29-c95d-5178-40c4-c30faee9440b}\r\n\r\nService Information:\r\n\tService Name:\t\tENTERPRISE-DC$\r\n\tService ID:\t\tS-1-5-21-3294798438-2719725478-2944407717-1002\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.0.0.16\r\n\tClient Port:\t\t53849\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nTicket information\r\n\tRequest ticket hash:\t\tuoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\r\n\tResponse ticket hash:\t\tu8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.\"",
"version": "1",
"systemTime": "2024-07-30T07:06:09.5951344Z",
"eventRecordID": "194708",
"threadID": "872",
"computer": "enterprise-dc.enterprise.local",
"task": "14337",
"processID": "656",
"severityValue": "AUDIT_SUCCESS",
"providerName": "Microsoft-Windows-Security-Auditing"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4769\",\"version\":\"1\",\"level\":\"0\",\"task\":\"14337\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-07-30T07:06:09.5951344Z\",\"eventRecordID\":\"194708\",\"processID\":\"656\",\"threadID\":\"872\",\"channel\":\"Security\",\"computer\":\"enterprise-dc.enterprise.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos service ticket was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tAdmini...@ENTERPRISE.LOCAL\\r\\n\\tAccount Domain:\\t\\tENTERPRISE.LOCAL\\r\\n\\tLogon GUID:\\t\\t{a0ed7a29-c95d-5178-40c4-c30faee9440b}\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tENTERPRISE-DC$\\r\\n\\tService ID:\\t\\tS-1-5-21-3294798438-2719725478-2944407717-1002\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:10.0.0.16\\r\\n\\tClient Port:\\t\\t53849\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810000\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tFailure Code:\\t\\t0x0\\r\\n\\tTransited Services:\\t-\\r\\n\\r\\nTicket information\\r\\n\\tRequest ticket hash:\\t\\tuoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\\r\\n\\tResponse ticket hash:\\t\\tu8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\\r\\n\\r\\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\\r\\n\\r\\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\\r\\n\\r\\nTicket options, encryption types, and failure codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"Admini...@ENTERPRISE.LOCAL\",\"targetDomainName\":\"ENTERPRISE.LOCAL\",\"serviceName\":\"ENTERPRISE-DC$\",\"serviceSid\":\"S-1-5-21-3294798438-2719725478-2944407717-1002\",\"ticketOptions\":\"0x40810000\",\"ticketEncryptionType\":\"0x12\",\"ipAddress\":\"::ffff:10.0.0.16\",\"ipPort\":\"53849\",\"status\":\"0x0\",\"logonGuid\":\"{a0ed7a29-c95d-5178-40c4-c30faee9440b}\",\"requestTicketHash\":\"uoNOK8C3IHJcaE7eUafyvySDGnqZpigxStN5SGzoYuc=\",\"responseTicketHash\":\"u8uczi1IMxMuVnLrmYT/ihXwhWzLVdQTQCtS/+NiAz0=\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2024-07-30T07:06:10.244Z",
"location": "EventChannel",
"id": "1722323170.11319439",
"timestamp": "2024-07-30T07:06:10.244+0000"
},
"fields": {
"@timestamp": [
"2024-07-30T07:06:10.244Z"
],
"timestamp": [
"2024-07-30T07:06:10.244Z"
]
},
"highlight": {
"data.win.system.eventID": [
"@opensearch-dashboards-highlighted-field@4769@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1722323170244
]
}
```
I tried to check for problems in the decoder but couldn't find windows_eventchannel in the decoder-files?
Thanks for your ideas!
Kind regards,
Dominik
Stuti Gupta
Jul 30, 2024, 6:02:41 AM7/30/24
to Wazuh | Mailing List
Hi
Dominik
For the first log, the 60106 rule is triggered because the EventID is 4769. However, for the second log, rule 92651 is triggered, which is a child rule of 60106. Rule 92651 has a rule level of 0 and meets the second condition of that rule. For an alert to be shown on the dashboard, it must have a rule level of 3 or higher. This is why you can't see the alerts for this event. You can create a custom rule based on 92651 with a higher rule level in local_rules.xml as follows:
<rule id="100005" level="3">
<if_sid>92651</if_sid>
<field name="win.eventdata.ipAddress">::\.+:10.0.0.\d+</field>
For the first log, the 60106 rule is triggered because the EventID is 4769. However, for the second log, rule 92651 is triggered, which is a child rule of 60106. Rule 92651 has a rule level of 0 and meets the second condition of that rule. For an alert to be shown on the dashboard, it must have a rule level of 3 or higher. This is why you can't see the alerts for this event. You can create a custom rule based on 92651 with a higher rule level in local_rules.xml as follows:
<rule id="100005" level="3">
<if_sid>92651</if_sid>
<field name="win.eventdata.ipAddress">::\.+:10.0.0.\d+</field>
<description>Successful Remote Logon by user:$(win.eventdata.targetDomainName)\$(win.eventdata.targetUserName) from $(win.eventdata.ipAddress).</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
You can refre to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps.
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
You can refre to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps.
Reply all
Reply to author
Forward
0 new messages