Create custom decoder from ADFS auditing log
445 views
Skip to first unread message
riiky devils
Aug 16, 2021, 2:52:13 AM8/16/21
to Wazuh mailing list
Hello,
I'm currently faced the issue about create custom decoder from ADFS auditing log
I'm cannot create exactly prematch decoder from archives.log
This is example log from archives.log
actually i want to extract failure and success event from AD FS classic security log which the decoder does not provide by default for the eventchannel log
Anyone can help me?
Thanks
I'm currently faced the issue about create custom decoder from ADFS auditing log
I'm cannot create exactly prematch decoder from archives.log
This is example log from archives.log
2021 Aug 16 08:39:13 (live-365-adfs) any->EventChannel {"win":{"system":{"providerName":"AD FS Auditing","eventID":"1202","level":"0","task":"3","keywords":"0x80a0000000000000","systemTime":"2021-08-16T01:39:12.364350400Z","eventRecordID":"1727886","channel":"Security","computer":"xxxxx.xxxx.com,"severityValue":"AUDIT_SUCCESS","message":"\"The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: xxxxxxxxxxxxxxx \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n <AuditType>FreshCredentials</AuditType>\r\n <AuditResult>Success</AuditResult>\r\n <FailureType>None</FailureType>\r\n <ErrorCode>N/A</ErrorCode>\r\n <ContextComponents>\r\n <Component xsi:type=\"ResourceAuditComponent\">\r\n <RelyingParty>xxxxx-xxxx-xxxx</RelyingParty>\r\n <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n <UserId>XXXXX</UserId>\r\n </Component>\r\n <Component xsi:type=\"AuthNAuditComponent\">\r\n <PrimaryAuth>N/A</PrimaryAuth>\r\n <DeviceAuth>false</DeviceAuth>\r\n <DeviceId>N/A</DeviceId>\r\n <MfaPerformed>false</MfaPerformed>\r\n <MfaMethod>N/A</MfaMethod>\r\n <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n <TokenBindingReferredId>false</TokenBindingReferredId>\r\n <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n </Component>\r\n <Component xsi:type=\"ProtocolAuditComponent\">\r\n <OAuthClientId>N/A</OAuthClientId>\r\n <OAuthGrant>N/A</OAuthGrant>\r\n </Component>\r\n <Component xsi:type=\"RequestAuditComponent\">\r\n <Server>https://axfs.xxxxxxxx</Server>\r\n <AuthProtocol>OAuth</AuthProtocol>\r\n <NetworkLocation>Intranet</NetworkLocation>\r\n <IpAddress>10.10.xx.xx</IpAddress>\r\n <ProxyServer>N/A</ProxyServer>\r\n <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36</UserAgentString>\r\n <Endpoint>/adfs/oauth2/authorize/</Endpoint>\r\n </Component>\r\n </ContextComponents>\r\n</AuditBase>\""},"eventdata":{"data":"xxxxx-xxxxx-xxxx, <?xml version=\\\"1.0\\\" encoding=\\\"utf-16\\\"?> <AuditBase xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:type=\\\"FreshCredentialAudit\\\"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type=\\\"ResourceAuditComponent\\\"> <RelyingParty>xxx-xxxx-xxxxlt;/RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>xxxx-xxxx</UserId> </Component> <Component xsi:type=\\\"AuthNAuditComponent\\\"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type=\\\"ProtocolAuditComponent\\\"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type=\\\"RequestAuditComponent\\\"> <Server>https://xxxxx.xxxx.com</Server> <AuthProtocol>OAuth</AuthProtocol> <NetworkLocation>Intranet</NetworkLocation> <IpAddress>10.10.xxx.xxx</IpAddress> <ProxyServer>N/A</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36</UserAgentString> <Endpoint>/adfs/oauth2/authorize/</Endpoint> </Component> </ContextComponents> </AuditBase>"}}}
actually i want to extract failure and success event from AD FS classic security log which the decoder does not provide by default for the eventchannel log
Anyone can help me?
Thanks
Fabricio Brunetti
Aug 18, 2021, 9:32:15 AM8/18/21
to Wazuh mailing list
Hi Riiky,
From which Wazuh version were these logs collected?, there is something weird with json and xml format mixed in a single log.
Have you tried adding the "AD FS/Auditing" provider using this guide https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html?
Regards,
From which Wazuh version were these logs collected?, there is something weird with json and xml format mixed in a single log.
Have you tried adding the "AD FS/Auditing" provider using this guide https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html?
Regards,
Fabricio Brunetti
riiky devils
Aug 18, 2021, 9:19:14 PM8/18/21
to Wazuh mailing list
Hi Fabricio,
The wazuh version on server logs collected is 4.1.4. I'm already add localfile from security eventchannel log in ossec.conf
The wazuh version on server logs collected is 4.1.4. I'm already add localfile from security eventchannel log in ossec.conf
When i'm try to parse previous log from archives.log to logtest this is the result no decoder matched
This is the real log from eventviewer on server
So, any workaround to create decoder from adfs auditing log?
Thank You,
Thank You,
Fabricio Brunetti
Aug 19, 2021, 11:32:29 AM8/19/21
to Wazuh mailing list
Riiky,
In newer versions of Wazuh, like the one you are using, Windows Event channel events do not need a decoder, they are automatically decoded in a json-like format. Ideally you would write a simple base rule that would act as a "decoder" and then extend with specific rules.
Testing windows event log rules using wazuh-logtest is a bit tricky, as you will need to make a temporary change to rule 60000 in /var/ossec/ruleset/rules/0575-win-base_rules.xml:
<rule id="100001" level="0">
If you can get the log in json format I can provide better guidance on this.
Regards,
<rule id="60000" level="0">
<!--category>ossec</category-->
<!--decoded_as>windows_eventchannel</decoded_as-->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>
You child rule would be something like
AD FS Auditing
<rule id="100001" level="0">
<if_sid>60000</if_sid>
<field name="win.system.providerName">AD FS Auditing</field>
<options>no_full_log</options>
<description>Group of AD FS classic security log rules</description>
</rule>
Regards,
Fabricio
riiky devils
Aug 20, 2021, 1:21:41 AM8/20/21
to Wazuh mailing list
Hi Fabricio,
Here the log format from archives.json
{"timestamp":"2021-08-20T04:26:00.293+0700","agent":{"id":"002","name":"adfs-server","ip":"10.10.xx.xx"},"manager":{"name":"siem.domain.com"},"id":"1629408360.1384361533","full_log":"{\"win\":{\"system\":{\"providerName\":\"AD FS Auditing\",\"eventID\":\"1202\",\"level\":\"0\",\"task\":\"3\",\"keywords\":\"0x80a0000000000000\",\"systemTime\":\"2021-08-19T21:25:59.254335000Z\",\"eventRecordID\":\"1760607\",\"channel\":\"Security\",\"computer\":\"adadada.xxx.com\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"The Federation Service validated a new credential. See XML for details. \\r\\n\\r\\nActivity ID: xxx-xxxx-xxxxx-xxxxx \\r\\n\\r\\nAdditional Data \\r\\nXML: <?xml version=\\\"1.0\\\" encoding=\\\"utf-16\\\"?>\\r\\n<AuditBase xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:type=\\\"FreshCredentialAudit\\\">\\r\\n <AuditType>FreshCredentials</AuditType>\\r\\n <AuditResult>Success</AuditResult>\\r\\n <FailureType>None</FailureType>\\r\\n <ErrorCode>N/A</ErrorCode>\\r\\n <ContextComponents>\\r\\n <Component xsi:type=\\\"ResourceAuditComponent\\\">\\r\\n <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty>\\r\\n <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\\r\\n <UserId>domain\\\\user</UserId>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"AuthNAuditComponent\\\">\\r\\n <PrimaryAuth>N/A</PrimaryAuth>\\r\\n <DeviceAuth>false</DeviceAuth>\\r\\n <DeviceId>N/A</DeviceId>\\r\\n <MfaPerformed>false</MfaPerformed>\\r\\n <MfaMethod>N/A</MfaMethod>\\r\\n <TokenBindingProvidedId>false</TokenBindingProvidedId>\\r\\n <TokenBindingReferredId>false</TokenBindingReferredId>\\r\\n <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"ProtocolAuditComponent\\\">\\r\\n <OAuthClientId>N/A</OAuthClientId>\\r\\n <OAuthGrant>N/A</OAuthGrant>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"RequestAuditComponent\\\">\\r\\n <Server>https://axfs.domain.com/adfs</Server>\\r\\n <AuthProtocol>OAuth</AuthProtocol>\\r\\n <NetworkLocation>Extranet</NetworkLocation>\\r\\n <IpAddress>10.10.xx.xx</IpAddress>\\r\\n <ProxyServer>10.10.xx.xx</ProxyServer>\\r\\n <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString>\\r\\n <Endpoint>/adfs/oauth2/authorize/</Endpoint>\\r\\n </Component>\\r\\n </ContextComponents>\\r\\n</AuditBase>\\\"\"},\"eventdata\":{\"data\":\"xxx-xxxx-xxxxx-xxxxx, <?xml version=\\\\\\\"1.0\\\\\\\" encoding=\\\\\\\"utf-16\\\\\\\"?> <AuditBase xmlns:xsd=\\\\\\\"http://www.w3.org/2001/XMLSchema\\\\\\\" xmlns:xsi=\\\\\\\"http://www.w3.org/2001/XMLSchema-instance\\\\\\\" xsi:type=\\\\\\\"FreshCredentialAudit\\\\\\\"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type=\\\\\\\"ResourceAuditComponent\\\\\\\"> <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>domain\\\\\\\\user</UserId> </Component> <Component xsi:type=\\\\\\\"AuthNAuditComponent\\\\\\\"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type=\\\\\\\"ProtocolAuditComponent\\\\\\\"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type=\\\\\\\"RequestAuditComponent\\\\\\\"> <Server>https://axfs.domain.com/adfs</Server> <AuthProtocol>OAuth</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>10.10.xx.xx</IpAddress> <ProxyServer>10.10.xx.xx</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString> <Endpoint>/adfs/oauth2/authorize/</Endpoint> </Component> </ContextComponents> </AuditBase>\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"AD FS Auditing","eventID":"1202","level":"0","task":"3","keywords":"0x80a0000000000000","systemTime":"2021-08-19T21:25:59.254335000Z","eventRecordID":"1760607","channel":"Security","computer":"adadada.xxx.com","severityValue":"AUDIT_SUCCESS","message":"\"The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: xxx-xxxx-xxxxx-xxxxx \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n <AuditType>FreshCredentials</AuditType>\r\n <AuditResult>Success</AuditResult>\r\n <FailureType>None</FailureType>\r\n <ErrorCode>N/A</ErrorCode>\r\n <ContextComponents>\r\n <Component xsi:type=\"ResourceAuditComponent\">\r\n <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty>\r\n <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n <UserId>domain\\user</UserId>\r\n </Component>\r\n <Component xsi:type=\"AuthNAuditComponent\">\r\n <PrimaryAuth>N/A</PrimaryAuth>\r\n <DeviceAuth>false</DeviceAuth>\r\n <DeviceId>N/A</DeviceId>\r\n <MfaPerformed>false</MfaPerformed>\r\n <MfaMethod>N/A</MfaMethod>\r\n <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n <TokenBindingReferredId>false</TokenBindingReferredId>\r\n <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n </Component>\r\n <Component xsi:type=\"ProtocolAuditComponent\">\r\n <OAuthClientId>N/A</OAuthClientId>\r\n <OAuthGrant>N/A</OAuthGrant>\r\n </Component>\r\n <Component xsi:type=\"RequestAuditComponent\">\r\n <Server>https://axfs.domain.com/adfs</Server>\r\n <AuthProtocol>OAuth</AuthProtocol>\r\n <NetworkLocation>Extranet</NetworkLocation>\r\n <IpAddress>10.10.xx.xx</IpAddress>\r\n <ProxyServer>10.10.xx.xx</ProxyServer>\r\n <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString>\r\n <Endpoint>/adfs/oauth2/authorize/</Endpoint>\r\n </Component>\r\n </ContextComponents>\r\n</AuditBase>\""},"eventdata":{"data":"xxx-xxxx-xxxxx-xxxxx, <?xml version=\\\"1.0\\\" encoding=\\\"utf-16\\\"?> <AuditBase xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:type=\\\"FreshCredentialAudit\\\"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type=\\\"ResourceAuditComponent\\\"> <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>domain\\\\user</UserId> </Component> <Component xsi:type=\\\"AuthNAuditComponent\\\"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type=\\\"ProtocolAuditComponent\\\"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type=\\\"RequestAuditComponent\\\"> <Server>https://axfs.domain.com/adfs</Server> <AuthProtocol>OAuth</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>10.10.xx.xx</IpAddress> <ProxyServer>10.10.xx.xx</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString> <Endpoint>/adfs/oauth2/authorize/</Endpoint> </Component> </ContextComponents> </AuditBase>"}}},"location":"EventChannel"}
I think is not much different from archives.log
So, i need to change directly to /var/ossec/ruleset/rules/0575-win-base_rules.xml and add child rules based on your suggestion? and then make alert rule in /var/ossec/etc/rules/local_rules.xml?
Thank You,
Here the log format from archives.json
{"timestamp":"2021-08-20T04:26:00.293+0700","agent":{"id":"002","name":"adfs-server","ip":"10.10.xx.xx"},"manager":{"name":"siem.domain.com"},"id":"1629408360.1384361533","full_log":"{\"win\":{\"system\":{\"providerName\":\"AD FS Auditing\",\"eventID\":\"1202\",\"level\":\"0\",\"task\":\"3\",\"keywords\":\"0x80a0000000000000\",\"systemTime\":\"2021-08-19T21:25:59.254335000Z\",\"eventRecordID\":\"1760607\",\"channel\":\"Security\",\"computer\":\"adadada.xxx.com\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"The Federation Service validated a new credential. See XML for details. \\r\\n\\r\\nActivity ID: xxx-xxxx-xxxxx-xxxxx \\r\\n\\r\\nAdditional Data \\r\\nXML: <?xml version=\\\"1.0\\\" encoding=\\\"utf-16\\\"?>\\r\\n<AuditBase xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:type=\\\"FreshCredentialAudit\\\">\\r\\n <AuditType>FreshCredentials</AuditType>\\r\\n <AuditResult>Success</AuditResult>\\r\\n <FailureType>None</FailureType>\\r\\n <ErrorCode>N/A</ErrorCode>\\r\\n <ContextComponents>\\r\\n <Component xsi:type=\\\"ResourceAuditComponent\\\">\\r\\n <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty>\\r\\n <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\\r\\n <UserId>domain\\\\user</UserId>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"AuthNAuditComponent\\\">\\r\\n <PrimaryAuth>N/A</PrimaryAuth>\\r\\n <DeviceAuth>false</DeviceAuth>\\r\\n <DeviceId>N/A</DeviceId>\\r\\n <MfaPerformed>false</MfaPerformed>\\r\\n <MfaMethod>N/A</MfaMethod>\\r\\n <TokenBindingProvidedId>false</TokenBindingProvidedId>\\r\\n <TokenBindingReferredId>false</TokenBindingReferredId>\\r\\n <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"ProtocolAuditComponent\\\">\\r\\n <OAuthClientId>N/A</OAuthClientId>\\r\\n <OAuthGrant>N/A</OAuthGrant>\\r\\n </Component>\\r\\n <Component xsi:type=\\\"RequestAuditComponent\\\">\\r\\n <Server>https://axfs.domain.com/adfs</Server>\\r\\n <AuthProtocol>OAuth</AuthProtocol>\\r\\n <NetworkLocation>Extranet</NetworkLocation>\\r\\n <IpAddress>10.10.xx.xx</IpAddress>\\r\\n <ProxyServer>10.10.xx.xx</ProxyServer>\\r\\n <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString>\\r\\n <Endpoint>/adfs/oauth2/authorize/</Endpoint>\\r\\n </Component>\\r\\n </ContextComponents>\\r\\n</AuditBase>\\\"\"},\"eventdata\":{\"data\":\"xxx-xxxx-xxxxx-xxxxx, <?xml version=\\\\\\\"1.0\\\\\\\" encoding=\\\\\\\"utf-16\\\\\\\"?> <AuditBase xmlns:xsd=\\\\\\\"http://www.w3.org/2001/XMLSchema\\\\\\\" xmlns:xsi=\\\\\\\"http://www.w3.org/2001/XMLSchema-instance\\\\\\\" xsi:type=\\\\\\\"FreshCredentialAudit\\\\\\\"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type=\\\\\\\"ResourceAuditComponent\\\\\\\"> <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>domain\\\\\\\\user</UserId> </Component> <Component xsi:type=\\\\\\\"AuthNAuditComponent\\\\\\\"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type=\\\\\\\"ProtocolAuditComponent\\\\\\\"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type=\\\\\\\"RequestAuditComponent\\\\\\\"> <Server>https://axfs.domain.com/adfs</Server> <AuthProtocol>OAuth</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>10.10.xx.xx</IpAddress> <ProxyServer>10.10.xx.xx</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString> <Endpoint>/adfs/oauth2/authorize/</Endpoint> </Component> </ContextComponents> </AuditBase>\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"AD FS Auditing","eventID":"1202","level":"0","task":"3","keywords":"0x80a0000000000000","systemTime":"2021-08-19T21:25:59.254335000Z","eventRecordID":"1760607","channel":"Security","computer":"adadada.xxx.com","severityValue":"AUDIT_SUCCESS","message":"\"The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: xxx-xxxx-xxxxx-xxxxx \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n <AuditType>FreshCredentials</AuditType>\r\n <AuditResult>Success</AuditResult>\r\n <FailureType>None</FailureType>\r\n <ErrorCode>N/A</ErrorCode>\r\n <ContextComponents>\r\n <Component xsi:type=\"ResourceAuditComponent\">\r\n <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty>\r\n <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n <UserId>domain\\user</UserId>\r\n </Component>\r\n <Component xsi:type=\"AuthNAuditComponent\">\r\n <PrimaryAuth>N/A</PrimaryAuth>\r\n <DeviceAuth>false</DeviceAuth>\r\n <DeviceId>N/A</DeviceId>\r\n <MfaPerformed>false</MfaPerformed>\r\n <MfaMethod>N/A</MfaMethod>\r\n <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n <TokenBindingReferredId>false</TokenBindingReferredId>\r\n <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n </Component>\r\n <Component xsi:type=\"ProtocolAuditComponent\">\r\n <OAuthClientId>N/A</OAuthClientId>\r\n <OAuthGrant>N/A</OAuthGrant>\r\n </Component>\r\n <Component xsi:type=\"RequestAuditComponent\">\r\n <Server>https://axfs.domain.com/adfs</Server>\r\n <AuthProtocol>OAuth</AuthProtocol>\r\n <NetworkLocation>Extranet</NetworkLocation>\r\n <IpAddress>10.10.xx.xx</IpAddress>\r\n <ProxyServer>10.10.xx.xx</ProxyServer>\r\n <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString>\r\n <Endpoint>/adfs/oauth2/authorize/</Endpoint>\r\n </Component>\r\n </ContextComponents>\r\n</AuditBase>\""},"eventdata":{"data":"xxx-xxxx-xxxxx-xxxxx, <?xml version=\\\"1.0\\\" encoding=\\\"utf-16\\\"?> <AuditBase xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:type=\\\"FreshCredentialAudit\\\"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type=\\\"ResourceAuditComponent\\\"> <RelyingParty>yyyy-yyyyy-yyyy-yyyyy</RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>domain\\\\user</UserId> </Component> <Component xsi:type=\\\"AuthNAuditComponent\\\"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type=\\\"ProtocolAuditComponent\\\"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type=\\\"RequestAuditComponent\\\"> <Server>https://axfs.domain.com/adfs</Server> <AuthProtocol>OAuth</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>10.10.xx.xx</IpAddress> <ProxyServer>10.10.xx.xx</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36</UserAgentString> <Endpoint>/adfs/oauth2/authorize/</Endpoint> </Component> </ContextComponents> </AuditBase>"}}},"location":"EventChannel"}
I think is not much different from archives.log
So, i need to change directly to /var/ossec/ruleset/rules/0575-win-base_rules.xml and add child rules based on your suggestion? and then make alert rule in /var/ossec/etc/rules/local_rules.xml?
Thank You,
riiky devils
Aug 20, 2021, 1:44:48 AM8/20/21
to Wazuh mailing list
Hi Fabricio,
I'm sorry i'm forgot something, the main reason is i want to extract IP address, Proxy server, UserID, Network Location and Endpoint information from success and failure event at ADFS auditing log provided
Thank You,
I'm sorry i'm forgot something, the main reason is i want to extract IP address, Proxy server, UserID, Network Location and Endpoint information from success and failure event at ADFS auditing log provided
Thank You,
Fabricio Brunetti
Aug 20, 2021, 10:42:54 AM8/20/21
to Wazuh mailing list
Hi Riiky,
The log you provided can be parsed. So it's good.
The changes on /var/ossec/ruleset/rules/0575-win-base_rules.xml are just for testing with wazuh-logtest, once you want to set the rules to productive you need to set it back to it's default values.
Problem is that the windows_eventchannel decoder can't be extended so we can't parse win.eventdata.data to get IP address, Proxy, UserId, etc, (we are working to fix this).
The log you provided can be parsed. So it's good.
The changes on /var/ossec/ruleset/rules/0575-win-base_rules.xml are just for testing with wazuh-logtest, once you want to set the rules to productive you need to set it back to it's default values.
Problem is that the windows_eventchannel decoder can't be extended so we can't parse win.eventdata.data to get IP address, Proxy, UserId, etc, (we are working to fix this).
Most we can do for now is generate an alert when some specific value is present in the log, it's not good to make a general rule (for example we can generate an alert when certain Network Location is used but we can't display it's value on the description).
Let me know if I can help you writing alert rules.
Regards,
Fabricio
Ausy R
Dec 14, 2022, 10:06:13 AM12/14/22
to Wazuh mailing list
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hi Team,
"Problem is that the windows_eventchannel decoder can't be extended so we can't parse win.eventdata.data to get IP address, Proxy, UserId, etc, (we are working to fix this)."
Has anything changed with the newer version of Wazuh? Is it possible to decode these fields, like brining in a new child decoder for the windows_eventchannel decoder?
Thanks,
Ausy
ChiewJH
Jan 19, 2024, 7:34:02 AM1/19/24
to Wazuh | Mailing List
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hi All,
Im having a same issue which need to grab the following item in message as a metakey(value/field) from the ADFS audit log
-Activity ID
-RelyingParty
-UserId
-Server
-NetworkLocation
-IpAddress
-ForwardedIpAddress
-RelyingParty
-UserId
-Server
-NetworkLocation
-IpAddress
-ForwardedIpAddress
Is there solution or any way I can modify or decode it?
Thank You
Reply all
Reply to author
Forward
0 new messages