RE: Email Notification -User Authentication Failed - New Case- Resolved
Prachi Katakwar
Sorry Sandra again, just realized my mistake in the same rule I have to just add the option email by alert that’s all.
Have done that, and I am getting the email notification.
Thank a ton to you for your patience😊
We could mark it as Resolved
BR
//Prachi
From: Prachi Katakwar
Sent: den 30 juni 2021 14:57
To: Sandra Ocando <sandra...@wazuh.com>
Cc: Wazuh mailing list <wa...@googlegroups.com>
Subject: RE: Email Notification -User Authentication Failed - New Case
Hi Sandra,
I have included the rule given by you with rule id = “100007” in local_rules.xml , but on testing the email didn’t come☹
If I give rule id = “100006” , so while restarting the Wazuh manager, it gives error code as duplicate ids.
[root@sekaissecdetection ~]# cat /var/ossec/etc/rules/local_rules.xml
!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="60612" level="3" overwrite="yes">
<if_sid>60609</if_sid>
<field name="win.system.eventID">^11707$|^1033$</field>
<description>Application Installed $(win.eventdata.data)</description>
<options>no_full_log</options>
<options>no_email_alert</options>
</rule>
<rule id="100002" level="0" noalert="1">
<decoded_as>pulsesecure</decoded_as>
<description>Pulse Secure messages grouped.</description>
</rule>
<rule id="100003" level="3">
<if_sid>100002</if_sid>
<match>Remote address</match>
<description>Pulse secure: Remote address for user changed </description>
</rule>
<rule id="100004" level="3">
<if_sid>100002</if_sid>
<match>Primary authentication successful</match>
<description>Pulse Secure:Primary authentication successful</description>
</rule>
<rule id="100005" level="3">
<if_sid>100002</if_sid>
<match>Login succeeded</match>
<description>Pulse Secure:Login succeeded</description>
</rule>
<rule id="100006" level="3">
<if_sid>100002</if_sid>
<match>Primary authentication failed | Login failed | Authentication failure </match>
<description>Pulse Secure:Login failed</description>
</rule>
<rule id="100007" level="3">
<if_sid>100002</if_sid>
<options>alert_by_email</options>
<match>Primary authentication failed | Login failed | Authentication failure </match>
<description>Pulse Secure:Login failed</description>
</rule>
</group>
From: Sandra Ocando <sandra...@wazuh.com>
Sent: den 30 juni 2021 08:42
To: Prachi Katakwar <prachi....@ericsson.com>
Cc: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Email Notification -User Authentication Failed - New Case
Hi Prachi,
To configure these email notifications you may modify the custom rule to include the alert by mail option:
<rule id="100006" level="3">
<if_sid>100002</if_sid>
<options>alert_by_email</options>
<match>Primary authentication failed | Login failed | Authentication failure </match>
<description>Pulse Secure:Login failed</description>
</rule>
This configuration will override your global settings and you will receive the email notifications although the alert level may be lower than the global setting. Remember to restart the Wazuh manager after editing the rules.
Best regards,
Sandra.
On Tue, Jun 29, 2021 at 2:26 PM Prachi Katakwar <prachi....@ericsson.com> wrote:
Hi Sandra,
Hope you are doing good and safe.
Since you were handling the case before and you know the history , so addressed to you.
Is it possible , whenever we have any user authentication failed , could we get an email for it ?
I mean its cool that user authentication failed are located as red points on Kibana , but it would be great if we can also get an email of it.
BR
//Prachi