Re: monitoring AD group
136 views
Skip to first unread message
Message has been deleted
Parash Mani Kafle
Jan 31, 2025, 5:14:25 AM1/31/25
to Wazuh | Mailing List
Hi,
As per your query, you want the rule id 60142 to be tiggered if the win.system.eventID is equal to 4726 and match the key words on the logs where it has keyword Administrator | System Administrator.For adding the custom rules:
- Login to the wazuh dashboards
- Click on buger icon on the top left section
- Click on the server-management and click Rules.
- Click on the Add new rules file
- Provide the custom rule name with xml extension and paste the below given configuration.
Restart the wazuh-manager.
The rule id 60142 will be overwritten by the custom rule and new rule has been created to trigger if the criteria matches the 60104 (if_sid) and should match System Administrator or Administrator within the event you receive.For your reference please visit the given URL:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.htmlI hope this helps,Please let us know if you have any queries.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.htmlI hope this helps,Please let us know if you have any queries.
On Tuesday, January 28, 2025 at 9:26:30 PM UTC+5:45 Mélina Derdab wrote:
hello I want to modify the alert level of rule 4729:<rule id="60142" level="5"> <if_sid>60113</if_sid> <field name="win.system.eventID">^633$|^4729$</field> <description>Security Enabled Global Group Member Removed $(win.eventdata.memberSid)</description> <options>no_full_log</options> <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.31> <miter> <id>T1484</id> </mitre> </rule>I want this rule to be triggered if it concerns a directory group of my domain I put the list of my groups to monitor with the following configuration: But that does not work the alert does not go up in my dashboard<rule id="60142" level="5" overwrite="yes"> <if_sid>60113</if_sid> <field name="win.system.eventID"> ^633$|^4729$</field> <field name="win.eventdata.TargetUserName">Administrator | System Administrator><field <description>Security Enabled Global Group Member Removed $(win.eventdata.memberSid)</description > <options>no_full_log</options> <mitre> <id>T1484</id> </mitre> </rule>
Message has been deleted
Mainor Rodriguez Rodriguez
Feb 4, 2025, 12:13:25 AM2/4/25
to Wazuh | Mailing List
Hi Milena,
To overwrite the rule 60142 and preserve the consistency of the default rule, follow these steps:
Go to Hamburger menu > Sever management > Rules > search for the rule 60142 and open the file that contains it by clicking on 0580-win-security_rules.xml button, find and copy the rule 60142 as is.
Go back to Rules, and click on the Custom rules button, then click on local_rules.xml button.
Paste the rule 60142 before the </group> closing tag
Then, modify the rule so that it looks like the following:
Then click on Save, then Restart.
In the second rule sample your shared there was a missing closing </field>
Mainor R.
On Friday, January 31, 2025 at 6:04:27 AM UTC-6 Mélina Derdab wrote:
hello ok "Administrator | System Administrator" are critical active directory groups to monitor so I just have to put them in the match tag?
Reply all
Reply to author
Forward
Message has been deleted
0 new messages