4674 | Rule Not Triggered
108 views
Skip to first unread message
John Carry
Mar 1, 2023, 3:10:13 AM3/1/23
to Wazuh mailing list
Hello Wazuh Team,
Hopefully you are doing well, After enabling manual capturing by allowing <logall> section to YES we have observed that event ID 4672 is visible from archives but unfortunately they are not visible in alerts on Wazuh application alerts.
I have attaching the relevant details below and also as a form of comparative analysis I will also be mentioning details for event ID 4624 because they have the same exact details like decoder, payload syntax etc like 4672 Event ID but 4624 is successfully been triggered as rule and visible at GUI.
Event ID : 4672 : Special Privileges Assigned To New Logon
Payload received from archives.log and json:
Archive.log:
Archive.JSON:
Custom Rule for 4672:
Event ID : 4624 : An account was successfully logged on.
Archive.log:
Archive.JSON:
Default Rule for 4624:
Please help out to resolve the mentioned issue as we need to trigger alerts for 4672.
Openime Oniagbi
Mar 1, 2023, 3:16:50 AM3/1/23
to Wazuh mailing list
Hi John,
I am currently investigating the issue. I will respond as soon as I get a fix.
Regards,
Openime
I am currently investigating the issue. I will respond as soon as I get a fix.
Regards,
Openime
Openime Oniagbi
Mar 1, 2023, 4:47:08 AM3/1/23
to Wazuh mailing list
Hi John,
I have run some tests, and indeed the rule you have posted does not work. I have modified the rule, and it now works.
Please take a look at the rule below. Test it and let me know if it meets your expectations.
<group name="AD-Alerts-Custom">
<rule id="110200" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4672$</field>
<options>no_full_log</options>
<description>Special privileges assigned to new logon</description>
</rule>
</group>
I have run some tests, and indeed the rule you have posted does not work. I have modified the rule, and it now works.
Please take a look at the rule below. Test it and let me know if it meets your expectations.
<group name="AD-Alerts-Custom">
<rule id="110200" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4672$</field>
<options>no_full_log</options>
<description>Special privileges assigned to new logon</description>
</rule>
</group>
Regards,
Openime
Openime
John Carry
Mar 1, 2023, 5:04:08 AM3/1/23
to Wazuh mailing list
It worked by changing the provided <if_sid>, but I am observing that the rule 60103 is applicable for success audit only not for failure attempts, so are you sure that event ID 4672 won't be missed for any other failure attempts ?
Openime Oniagbi
Mar 1, 2023, 6:00:08 AM3/1/23
to Wazuh mailing list
Hi John,
You can modify the rule to cover failure and success:
<group name="AD-Alerts-Custom">
<rule id="110200" level="12">
<if_sid>60103,60104</if_sid>
<field name="win.system.eventID">^4672$</field>
<options>no_full_log</options>
<description>Special privileges assigned to new logon</description>
</rule>
</group>
Regards,
Openime
You can modify the rule to cover failure and success:
<group name="AD-Alerts-Custom">
<rule id="110200" level="12">
<field name="win.system.eventID">^4672$</field>
<options>no_full_log</options>
<description>Special privileges assigned to new logon</description>
</rule>
</group>
Regards,
Openime
Openime Oniagbi
Mar 2, 2023, 3:58:18 AM3/2/23
to Wazuh mailing list
Did that help?
John Carry
Mar 13, 2023, 1:44:51 AM3/13/23
to Wazuh mailing list
Hello Openmine,
Yes, that worked!
Thanks
Reply all
Reply to author
Forward
0 new messages