Use case

[asd zxc]

Hi Team,

can you please help us with the creation of use case for "Authentication Anomalies Service accounts used for interactive login, service accounts used from non-authorized source systems , user logon locally (on LAN) within a short window of a VPN logon, User logon more than an hour  before or after normal work periods."

we need to create alert for the above use case can you please help us on this.

Thanks

Sai.

[Ujunwa Okonkwo]

Hello, 

Thank you for reaching out to us.

To create an alert for the use case you mentioned, you can utilize the Wazuh rules and decoders. 

Firstly, you can configure a rule to detect authentication anomalies such as service accounts used for interactive login or service accounts used from non-authorized source systems. This rule can be based on specific log events or patterns in the authentication logs. 

Additionally, you can create a rule to detect user logon locally within a short window of a VPN logon or user logon more than an hour before or after normal work periods. These rules can be customized to match your specific environment and log sources. 

Once the rules are defined, they can be deployed and monitored using the Wazuh manager and Wazuh agent. The alerts generated by these rules can be sent to the appropriate channels for further investigation and response.

Please refer to this blog post on creating rules and decoder from scratch. You can further check out our detailed use case documentation on different aspects of security to finetune your detection.

Regards,