New rule for windows admin users when logging in or logging out
113 views
Skip to first unread message
Walter Tomas
Feb 13, 2024, 6:47:32 AM2/13/24
to Wazuh | Mailing List
Hello,
I'm trying to make a rule so that when user1.name.admin or any user that ends with ".admin" logs in, a lvl12 alert is raised
I can't do it at all, can you help me?
I leave the login and logout logs below
rule.id: 60137
rule.level: 3
data.win.system.message:
"An account was logged off.
Subject:
Security ID: S-1-5-21-3521608717-3060379358-2082044000-1015
Account Name: user1.name.admin
Account Domain: WIN10357523
Logon ID: 0x139328F8
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
---------------------------
rule.id: 60118
rule.level: 3
data.win.system.message:
"An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN10357523$
Account Domain: DOM-DOM
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3521608717-3060379358-2082044000-1015
Account Name: user1.name.admin
Account Domain: WIN10357523
Logon ID: 0x13932995
Linked Logon ID: 0x139328F8
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4e18
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: WIN10357523
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
I'm trying to make a rule so that when user1.name.admin or any user that ends with ".admin" logs in, a lvl12 alert is raised
I can't do it at all, can you help me?
I leave the login and logout logs below
rule.id: 60137
rule.level: 3
data.win.system.message:
"An account was logged off.
Subject:
Security ID: S-1-5-21-3521608717-3060379358-2082044000-1015
Account Name: user1.name.admin
Account Domain: WIN10357523
Logon ID: 0x139328F8
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
---------------------------
rule.id: 60118
rule.level: 3
data.win.system.message:
"An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN10357523$
Account Domain: DOM-DOM
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3521608717-3060379358-2082044000-1015
Account Name: user1.name.admin
Account Domain: WIN10357523
Logon ID: 0x13932995
Linked Logon ID: 0x139328F8
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4e18
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: WIN10357523
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Hatem
Feb 14, 2024, 6:50:07 AM2/14/24
to Walter Tomas, Wazuh | Mailing List
Any updates
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c429590-d347-423b-a6a5-7f4c1e9f1991n%40googlegroups.com.
elw...@wazuh.com
Feb 14, 2024, 8:39:38 AM2/14/24
to Wazuh | Mailing List
Hello Walter,
Can you please share the JSON format of those alerts to provide the custom rule?
Regards,
Wali
Can you please share the JSON format of those alerts to provide the custom rule?
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages