Windows Event ID 1121 and 1122

[Aykhan Huseynli]

Dear Wazuh Team,

Could someone help me out to configure Wazuh to receive Event IDs 1121 and 1122 on the dashboard? It would be great if someone shared the rules and decoders with me, so I can edit my rules and decoders accordingly. 

Thanks in advance!

Sincerely,

[Julian Bustamante Narvaez]

Hi, Aykhan.

If you need to go deeper into the options you have to generate rules for windows events. I recommend the following section of the documentation here

you can go to C:\Program Files (x86)\ossec-agent\ossec.conf  and  put the EventID != 1121 or EventID != 1122 inside localfile block.

by default wazuh comes like this:

 <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

 

add  EventID != 1121 or EventID != 1122.

a custom rule must be created following the next logic.

• Rule 60000: general eventchannel rule
• Rule 60001: rule grouping all Security channel events
• Rule 60103: rule grouping all successful Security channel events (severityValue successful)

<rule id="100001" level="3">

  <if_sid>60103</if_sid>

  <field name="win.system.eventID">^1121$</field>

  <description>Anything</description>

 </rule>

Hope this helps!

Regards