user admin

[George Paun]

Hello guys,

I need some help. I made the next rule but it doesnt triggered . where is the mistake?

<rule id="100008" level="12">
    <if_sid>60111</if_sid>
    <field name="win.system.eventID">^629$|^4725$</field>
    <field name="win.eventdata.targetUserName">admin|Administrator|domainAdmin</field>
    <field name="win.eventdata.targetUserGroups">Administrators|Domain Admins|Enterprise Admins|wks.admin|wks admin</field>
    <options>no_full_log</options>
    <description>Admin or privileged user account disabled - $(win.eventdata.targetUserName)</description>
<mitre>
      <id>T1098</id>
      <id>T1531</id>
    </mitre>
    <group>account_changed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,soar</group>
  </rule>

Thx,

George

[hasitha.u...@wazuh.com]

Hi George

I have replicated this issue on my end with a sample log.

1. {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4725","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2025-09-01T08:29:59.1597570Z","eventRecordID":"22038645","processID":"660","threadID":"1984","channel":"Security","computer":"test.hasitha.local","severityValue":"AUDIT_SUCCESS","message":"\"A user account was disabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-782931640-1297705727-1023849978-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tHasithaAD\r\n\tLogon ID:\t\t0xBB9DF6C3\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-782931640-1297705727-1023849978-1109\r\n\tAccount Name:\t\thasitha\r\n\tAccount Domain:\t\tHasithaAD\""},"eventdata":{"targetUserName":"admin","targetDomainName":"HasithaAD","targetSid":"S-1-5-21-782931640-1297705727-1023849978-1109","subjectUserSid":"S-1-5-21-782931640-1297705727-1023849978-500","subjectUserName":"administrator","subjectDomainName":"HasithaAD","subjectLogonId":"0xbb9df6c3"}}}

However, this log does not contain the win.eventdata.targetUserGroups field in the sample log I tested after the simulation.
Therefore this rule working fine after removing this line:   <field name="win.eventdata.targetUserGroups">Administrators|Domain Admins|Enterprise Admins|wks.admin|wks admin</field>

1. <rule id="100008" level="12">
2.     <if_sid>60111</if_sid>
3.     <field name="win.system.eventID">^629$|^4725$</field>
4.     <field name="win.eventdata.targetUserName">admin|Administrator|domainAdmin</field>

1.     <options>no_full_log</options>
2.     <description>Admin or privileged user account disabled - $(win.eventdata.targetUserName)</description>
3. <mitre>
4.       <id>T1098</id>
5.       <id>T1531</id>
6.     </mitre>
7.     <group>account_changed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,soar</group>
8.   </rule>

After modifying the rule, you need to restart the Wazuh manager to apply the changes.
systemctl restart wazuh-manager

I believe the disabled account log does not contain the targetUserGroups. Therefore, you cannot use that field in the rule.

For further information regarding rules, you can refer to these guides.

• Rules
• Rules Syntax
• Regular Expression Syntax

You can test Windows logs using this approach:
Open the file /var/ossec/ruleset/rules/0575-win-base_rules.xml and edit rule 60000.
Comment out the existing category and decoded_as sections, then add a new decoded_as tag with the value json.

1.   <rule id="60000" level="0">
2. <!--    <category>ossec</category>
3.    <decoded_as>windows_eventchannel</decoded_as>  -->
4.    <decoded_as>json</decoded_as>
5.    <field name="win.system.providerName">\.+</field>
6.     <options>no_full_log</options>
7.     <description>Group of windows rules.</description>
8.   </rule>

Then restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager

You should copy a sample log from the archives.json file. Since it contains the full_log field, use that part when testing with logtest.
Enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file of the Wazuh manager.
Documentation:Wazuh Documentation | logall
<ossec_config>

 <global>

___________________

  <logall_json>yes</logall_json>

_______________
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming logs generated by your endpoints. After setting this option, restart the manager and check the archives.json file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
cat /var/ossec/logs/archives/archives.json | grep Keywoard

Then you can use wazuh-logtest tool to test the rule. 
/var/ossec/bin/wazuh-logtest
Ref: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

Once testing is done, make sure to revert the rule back; otherwise, Windows logs won’t appear in the dashboard.

Let me know if you need further assistance on this.

[George Paun]

Thanks for response Hashita , 

How can i modify the rule to appli to al admin users. Because not al admin user have the name  admin|Administrator|domainAdmin ? 

Thanks,

George

[George Paun]

To be more explicit i need for all users with role Administrators