Hello,
I've the same problem.
It's my rule:
<rule id="100300" level="12" frequency="2" timeframe="28800">
<if_matched_sid>60115</if_matched_sid>
<options>no_full_log</options>
<same_field>win.eventdata.targetUserName</same_field>
<description>Domena: Account locket more than 2 times $(win.eventdata.targetUserName)</description>
</rule>
If rule 60115 are fired two times during about 15 minutes my rule is fired. But when between fired rule 6015 is more than 30 minutes my rule isn't fired.
Wazuh newest version
root@wazuh1:/home/socadmin# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"
WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: '
WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID:
S-1-5-18
Account Name:
WINDOWS$
Account Domain:
UM
Logon ID:
0x3E7
Account That Was Locked Out:
Security ID:
S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name:
alama
Additional Information:
Caller Computer Name:
"'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"
WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: '
WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID:
S-1-5-18
Account Name:
WINDOWS$
Account Domain:
UM
Logon ID:
0x3E7
Account That Was Locked Out:
Security ID:
S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name:
alama
Additional Information:
Caller Computer Name:
"'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100300'
level: '12'
description: 'Domena: konto zablokowane wiecej niz 4 razy alama'
groups: '['windows', 'windows_security']'
firedtimes: '1'
frequency: '2'
mail: 'True'
**Alert to be generated.
root@wazuh1:/home/socadmin# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"
WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: '
WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID:
S-1-5-18
Account Name:
WINDOWS$
Account Domain:
UM
Logon ID:
0x3E7
Account That Was Locked Out:
Security ID:
S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name:
alama
Additional Information:
Caller Computer Name:
"'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"
WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
New session was created with token "5d088770"
** Wazuh-Logtest: WARNING: (7003): 'a863f602' token expires
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: '
WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID:
S-1-5-18
Account Name:
WINDOWS$
Account Domain:
UM
Logon ID:
0x3E7
Account That Was Locked Out:
Security ID:
S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name:
alama
Additional Information:
Caller Computer Name:
"'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.