How to manage evenid logs for windows???
723 views
Skip to first unread message
Diego Arranz
May 13, 2019, 4:31:15 AM5/13/19
to Wazuh mailing list
Hi all,
I am trying to create more
rules to distinct by logontype the 4624 event, to do that, we create a
file 0581-win-ms_logon.xml in /var/ossec/etc/rules:
<group name="windows,">
<!-- Global Windows Logon Rules ID: 7000xx-->
<rule id="700002" level="5">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.logonType">2</field>
<description>Windows Interactive Logon</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="700003" level="5">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.logonType">3</field>
<description>Windows Network Logon</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
...
<!-- Global Windows Logon Rules ID: 7000xx-->
<rule id="700002" level="5">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.logonType">2</field>
<description>Windows Interactive Logon</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="700003" level="5">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.logonType">3</field>
<description>Windows Network Logon</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
...
....
..
</group>
we
restart wazuh-manager to see the changes, but it seems, the manager can
not go with to this rule, we always see the rule 60106 but not th
700003 or whatever...
If we try with ossec-logtest,
ossec-testrule: Type one log per line.
{"win":{"system":{"
**Phase 1: Completed pre-decoding.
full event: {"win":{"system":{"
hostname: 'wazuh'
program_name: '(null)'
log: {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-05-13T00:51:42.442197400Z","eventRecordID":"166608293","processID":"608","threadID":"12532","channel":"Security","computer":"XXXXXXXXXXXXXX","severityValue":"AUDIT_SUCCESS","message":"L’ouverture de session d’un compte s’est correctement déroulée."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-21-64978884-1012102104-654838779-2085","targetUserName":"XXXX$","targetDomainName":"XXXXX","targetLogonId":"0x236bea2a2","logonType":"3","logonProcessName":"Kerberos","authenticationPackageName":"Kerberos","logonGuid":"{A5C45E80-55C9-77CF-1046-9C8FA483CC05}","keyLength":"0","processId":"0x0","ipAddress":"192.168.1.47","ipPort":"56030"}}}
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
win.system.eventID: '4624'
win.system.version: '0'
win.system.level: '0'
win.system.task: '12544'
win.system.opcode: '0'
win.system.keywords: '0x8020000000000000'
win.system.systemTime: '2019-05-13T00:51:42.442197400Z'
win.system.eventRecordID: '166608293'
win.system.processID: '608'
win.system.threadID: '12532'
win.system.channel: 'Security'
win.system.computer: 'XXXXXXXXX'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.message: 'L’ouverture de session d’un compte s’est correctement déroulée.'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.targetUserSid: 'S-1-5-21-64978884-1012102104-654838779-2085'
win.eventdata.targetUserName: 'XXXX$'
win.eventdata.targetDomainName: 'XXX'
win.eventdata.targetLogonId: '0x236bea2a2'
win.eventdata.logonType: '3'
win.eventdata.logonProcessName: 'Kerberos'
win.eventdata.authenticationPackageName: 'Kerberos'
win.eventdata.logonGuid: '{A5C45E80-55C9-77CF-1046-9C8FA483CC05}'
win.eventdata.keyLength: '0'
win.eventdata.processId: '0x0'
win.eventdata.ipAddress: 'XX.XX.XX.XX'
win.eventdata.ipPort: '56030'
{"win":{"system":{"
providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-05-13T00:51:42.442197400Z","eventRecordID":"166608293","processID":"608","threadID":"12532","channel":"Security","computer":"XXXXXXXXXXXXXX","severityValue":"AUDIT_SUCCESS","message":"L’ouverture de session d’un compte s’est correctement déroulée."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-21-64978884-1012102104-654838779-2085","targetUserName":"XXXX$","targetDomainName":"XXXXX","targetLogonId":"0x236bea2a2","logonType":"3","logonProcessName":"Kerberos","authenticationPackageName":"Kerberos","logonGuid":"{A5C45E80-55C9-77CF-1046-9C8FA483CC05}","keyLength":"0","processId":"0x0","ipAddress":"192.168.1.47","ipPort":"56030"}}}
**Phase 1: Completed pre-decoding.
full event: {"win":{"system":{"
providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-05-13T00:51:42.442197400Z","eventRecordID":"166608293","processID":"608","threadID":"12532","channel":"Security","computer":"XXXXXXXXXXXXXX","severityValue":"AUDIT_SUCCESS","message":"L’ouverture de session d’un compte s’est correctement déroulée."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-21-64978884-1012102104-654838779-2085","targetUserName":"XXXX$","targetDomainName":"XXXXX","targetLogonId":"0x236bea2a2","logonType":"3","logonProcessName":"Kerberos","authenticationPackageName":"Kerberos","logonGuid":"{A5C45E80-55C9-77CF-1046-9C8FA483CC05}","keyLength":"0","processId":"0x0","ipAddress":"192.168.1.47","ipPort":"56030"}}}
timestamp: '(null)'hostname: 'wazuh'
program_name: '(null)'
log: {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-05-13T00:51:42.442197400Z","eventRecordID":"166608293","processID":"608","threadID":"12532","channel":"Security","computer":"XXXXXXXXXXXXXX","severityValue":"AUDIT_SUCCESS","message":"L’ouverture de session d’un compte s’est correctement déroulée."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-21-64978884-1012102104-654838779-2085","targetUserName":"XXXX$","targetDomainName":"XXXXX","targetLogonId":"0x236bea2a2","logonType":"3","logonProcessName":"Kerberos","authenticationPackageName":"Kerberos","logonGuid":"{A5C45E80-55C9-77CF-1046-9C8FA483CC05}","keyLength":"0","processId":"0x0","ipAddress":"192.168.1.47","ipPort":"56030"}}}
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
win.system.eventID: '4624'
win.system.version: '0'
win.system.level: '0'
win.system.task: '12544'
win.system.opcode: '0'
win.system.keywords: '0x8020000000000000'
win.system.systemTime: '2019-05-13T00:51:42.442197400Z'
win.system.eventRecordID: '166608293'
win.system.processID: '608'
win.system.threadID: '12532'
win.system.channel: 'Security'
win.system.computer: 'XXXXXXXXX'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.message: 'L’ouverture de session d’un compte s’est correctement déroulée.'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.targetUserSid: 'S-1-5-21-64978884-1012102104-654838779-2085'
win.eventdata.targetUserName: 'XXXX$'
win.eventdata.targetDomainName: 'XXX'
win.eventdata.targetLogonId: '0x236bea2a2'
win.eventdata.logonType: '3'
win.eventdata.logonProcessName: 'Kerberos'
win.eventdata.authenticationPackageName: 'Kerberos'
win.eventdata.logonGuid: '{A5C45E80-55C9-77CF-1046-9C8FA483CC05}'
win.eventdata.keyLength: '0'
win.eventdata.processId: '0x0'
win.eventdata.ipAddress: 'XX.XX.XX.XX'
win.eventdata.ipPort: '56030'
But we can not see how wazuh trigger the rules, there is a way to see it??, how we can manage this kind of rules??
Cristina Garrido López
May 13, 2019, 5:04:57 AM5/13/19
to Wazuh mailing list
Hello Diego,
The field you are trying to filter, "data.win.eventdata.logonType", does not exist, as the "data" section is only shown in the Kibana app. Try with "win.eventdata.logonType".
Also mention that, using ossec-logtest is not possible with EventChannel, as it is an internal decoder not written in XML, there is an opened issue to support these decoders (https://github.com/wazuh/wazuh/issues/2765). However, you can test your rules with ossec-logtest by replacing the <decoded_as>windows_eventchannel</decoded_as> for <decoded_as>json</decoded_as> and removing the <category>ossec</category> section from the parent rule with ID 60000. Remember to roll back your changes after testing them with ossec-logtest.
If you have any other doubts I will be happy to help.
Kind regards,
Cristina
Reply all
Reply to author
Forward
0 new messages