Wazuh 4.14 - Mitre attack has stopped working again
24 views
Skip to first unread message
Glyn Richards
Dec 16, 2025, 9:58:06 AM (yesterday) Dec 16
to Wazuh | Mailing List
HI,
Need some more advise , all mitre attack information not showing in the dashbaord from the 3/12/2025 - i have tried the recommentation as given before (that worked last time), but after trying the solution again - no change..
Any more suggestions - to fix this information
Nicolas Alejandro Bertoldo
Dec 16, 2025, 11:06:31 AM (yesterday) Dec 16
to Wazuh | Mailing List
Hi Glyn,
Confirm Alerts Are Generated Locally on the Manager:
Confirm Alerts Are Generated Locally on the Manager:
You can generate a test event by logging into the agent machine using incorrect credentials. In this case, you will receive alert ID 60122 "Logon Failure - Unknown user or bad password" and MITRE ID T1531.
Tail the alerts log for your test event:
Tail the alerts log for your test event:
- sudo tail -f /var/ossec/logs/alerts/alerts.json | grep "60122"
- Trigger another failed login on the agent and watch for a new entry (it should trigger 60122 rule ID that satisfied your requirement of Mitre. If nothing appears here, double-check your agent's connection (/var/ossec/bin/agent_control -l)
The above-mentioned rule is for the Windows logon failure alert.
Verify that other logs from this agent are being received successfully.
Verify that other logs from this agent are being received successfully.
If the agent is disconnected, then troubleshoot to reconnect back otherwise, no logs appear on the dashboard from that agent.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Please share the logs from the agent ossec.log if the agent is disconnected.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Please share the logs from the agent ossec.log if the agent is disconnected.
If the agent is connected, then verify the alert received to the alerts.json file as mentioned above, and if you can find the log there, then check again in the dashboard by navigating to Discovery -> Add filter -> Field as rule.id , Operator is and value 60122 -> Save.
Also, you can check by navigating to Threat Intelligence -> MITRE ATT&CK -> Events
Also, you can check by navigating to Threat Intelligence -> MITRE ATT&CK -> Events
Let me know the update on this.
Glyn Richards
6:40 AM (9 hours ago) 6:40 AM
to wa...@googlegroups.com
---------- Forwarded message ---------
From: Glyn Richards <glrich...@gmail.com>
Date: Wed, Dec 17, 2025 at 10:01 AM
Subject: Re: Wazuh 4.14 - Mitre attack has stopped working again
To: <steve...@platinum-hit.com>
From: Glyn Richards <glrich...@gmail.com>
Date: Wed, Dec 17, 2025 at 10:01 AM
Subject: Re: Wazuh 4.14 - Mitre attack has stopped working again
To: <steve...@platinum-hit.com>
Hi -
Worked through all the recommendations -
Clients sending information
Event seen via threat Hunting (see below)
However , if we look at the Mire Att&ck
Still nothing displayed -
On Tue, Dec 16, 2025 at 7:07 PM Glyn Richards <glrich...@gmail.com> wrote:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/sFY3NQS9jAc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/7c5e0237-3149-4b10-8c4b-85c857997e8cn%40googlegroups.com.
Nicolas Alejandro Bertoldo
1:28 PM (2 hours ago) 1:28 PM
to Wazuh | Mailing List
Hi Glyn,
Could you please send me the manager logs to see if they provide a bit more context to the problem? Check the logs with this command:
Could you please send me the manager logs to see if they provide a bit more context to the problem? Check the logs with this command:
cat /var/ossec/logs/ossec.log | grep -i -E \"error|warn\"
Regards
Regards
Reply all
Reply to author
Forward
0 new messages