Wazuh Alert Full logs
239 views
Skip to first unread message
Miran Ul Haq
May 8, 2024, 1:28:19 PM5/8/24
to Wazuh | Mailing List
Hi All,
I was testing few alerts in wazuh. One of them which was creating a local user account. The rule fired when I created an account but the logs didn't specify by which user. Following is the full log which I got on Wazuh:
May 8 wazuh1 useradd[1338641]: new user: name=tempuser, UID=1001, GID=1001, home=/home/tempuser, shell=/bin/sh, from=/dev/pts/3
Similarly, for deletion of user
May 8 wazuh1 userdel[1406029]: delete user 'tempuser'
My concern is, how to log by which user was the account created or deleted. Is there a way to modify full logs or something?
Would appreciate the assistance.
Thanks.
Leonardo Daniel Sancho
May 8, 2024, 5:13:46 PM5/8/24
to Wazuh | Mailing List
Hello Miran Ul Haq, could you please provide us with the rule and decoder that is being used to generate alerts on this event? As well as the raw log from the device?
One way to obtain said log if you don't have access to the device would be to enable Archives. The Wazuh archives refer to the storage files created by the Wazuh server that contain logs, alerts, and other security-related data collected from monitored endpoints. Wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. Wazuh archives are useful for threat hunting, as security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports.
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes. You can read more about it here: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html
I'll be waiting for your answer to further continue the troubleshooting process.
One way to obtain said log if you don't have access to the device would be to enable Archives. The Wazuh archives refer to the storage files created by the Wazuh server that contain logs, alerts, and other security-related data collected from monitored endpoints. Wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. Wazuh archives are useful for threat hunting, as security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports.
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes. You can read more about it here: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html
Keep in mind that you should keep Archives enabled for a short period or for troubleshooting purposes and then disable it right after to prevent your storage from being completely filled up.
I'll be waiting for your answer to further continue the troubleshooting process.
Message has been deleted
Miran Ul Haq
May 10, 2024, 6:48:21 AM5/10/24
to Wazuh | Mailing List
Hi Leonardo,
Thanks for the response. To start with, let me share the ruleset test, rule and decoder against the log:
"May 8 wazuh1 useradd[1338641]: new user: name=tempuser, UID=1001, GID=1001, home=/home/tempuser, shell=/bin/sh, from=/dev/pts/3 "
RULESET TEST LOGS:
**Phase 1: Completed pre-decoding.
full event: 'May 8 17:55:48 wazuh1 useradd[1338641]: new user: name=tempuser, UID=1001, GID=1001, home=/home/tempuser, shell=/bin/sh, from=/dev/pts/3'
timestamp: 'May 8 17:55:48'
hostname: 'wazuh1'
program_name: 'useradd'
**Phase 2: Completed decoding.
name: 'useradd'
parent: 'useradd'
dstuser: 'tempuser'
gid: '1001'
home: '/home/tempuser'
shell: '/bin/sh,'
uid: '1001'
**Phase 3: Completed filtering (rules).
id: '5902'
level: '8'
description: 'New user added to the system.'
groups: '["syslog","adduser"]'
firedtimes: '2'
gdpr: '["IV_35.7.d","IV_32.2"]'
gpg13: '["4.13"]'
hipaa: '["164.312.b","164.312.a.2.I","164.312.a.2.II"]'
mail: 'true'
mitre.id: '["T1136"]'
mitre.tactic: '["Persistence"]'
mitre.technique: '["Create Account"]'
nist_800_53: '["AU.14","AC.7","AC.2","IA.4"]'
pci_dss: '["10.2.7","10.2.5","8.1.2"]'
tsc: '["CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
RULE:
<rule id="5902" level="8">
<match>^new user|^new account added</match>
<description>New user added to the system.</description>
<mitre>
<id>T1136</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
DECODER:
<decoder name="useradd">
<program_name>useradd</program_name>
</decoder>
Thanks for the response. To start with, let me share the ruleset test, rule and decoder against the log:
"May 8 wazuh1 useradd[1338641]: new user: name=tempuser, UID=1001, GID=1001, home=/home/tempuser, shell=/bin/sh, from=/dev/pts/3 "
**Phase 1: Completed pre-decoding.
full event: 'May 8 17:55:48 wazuh1 useradd[1338641]: new user: name=tempuser, UID=1001, GID=1001, home=/home/tempuser, shell=/bin/sh, from=/dev/pts/3'
timestamp: 'May 8 17:55:48'
hostname: 'wazuh1'
program_name: 'useradd'
**Phase 2: Completed decoding.
name: 'useradd'
parent: 'useradd'
dstuser: 'tempuser'
gid: '1001'
home: '/home/tempuser'
shell: '/bin/sh,'
uid: '1001'
**Phase 3: Completed filtering (rules).
id: '5902'
level: '8'
description: 'New user added to the system.'
groups: '["syslog","adduser"]'
firedtimes: '2'
gdpr: '["IV_35.7.d","IV_32.2"]'
gpg13: '["4.13"]'
hipaa: '["164.312.b","164.312.a.2.I","164.312.a.2.II"]'
mail: 'true'
mitre.id: '["T1136"]'
mitre.tactic: '["Persistence"]'
mitre.technique: '["Create Account"]'
nist_800_53: '["AU.14","AC.7","AC.2","IA.4"]'
pci_dss: '["10.2.7","10.2.5","8.1.2"]'
tsc: '["CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
RULE:
<rule id="5902" level="8">
<match>^new user|^new account added</match>
<description>New user added to the system.</description>
<mitre>
<id>T1136</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
DECODER:
<decoder name="useradd">
<program_name>useradd</program_name>
</decoder>
Miran Ul Haq
May 10, 2024, 6:49:55 AM5/10/24
to Wazuh | Mailing List
To add further,
I have enabled the archives for troubleshooting; however, I want this activity to be logged on wazuh dashboard which include the person/user performed this activity.
Thanks.
Leonardo Daniel Sancho
May 10, 2024, 5:42:50 PM5/10/24
to Wazuh | Mailing List
Hello Miran Ul Haq, with some small modifications, the user field can be added to the existing rules, you may check them and add them to your local_rules.xml file to see them in action, here we have both examples:
<match>^new user|^new account added</match>
<mitre>
<id>T1136</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5902" level="8" overwrite="yes">
<match>^new user|^new account added</match>
<description>New user: $(dstuser) added to the system.</description>
<mitre>
<id>T1136</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5903" level="3" overwrite="yes">
<match>^delete user|^account deleted|^remove group</match>
<description>Group (or user $(dstuser)) deleted from the system.</description>
<mitre>
<id>T1531</id>
<match>^delete user|^account deleted|^remove group</match>
<description>Group (or user $(dstuser)) deleted from the system.</description>
<mitre>
<id>T1531</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,nist_800_53_IA.4,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Keep in mind that overwrite=yes is being used to overwrite the existing rules because these ones add the missing field that you requested, once you add them, you may save the file, restart your manager by typing systemctl restart wazuh-manager and you'll be ready to use them immediately, for more information on how you can create custom ruleset or modify the existing wazuh ruleset, you may refer to the following article: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Have a great day!
Miran Ul Haq
May 14, 2024, 10:44:46 AM5/14/24
to Wazuh | Mailing List
Hi Leonardo,
Thanks for the response.
Similarily, if we add
<description>New user: $(dstuser) added to the system by $(srcuser)</description>
Would this work correctly?
Thanks again for the assistance.
Similarily, if we add
<description>New user: $(dstuser) added to the system by $(srcuser)</description>
Would this work correctly?
Thanks again for the assistance.
Leonardo Daniel Sancho
May 14, 2024, 12:25:34 PM5/14/24
to Wazuh | Mailing List
Hello Miran Ul Haq, your assumption is correct, but keep in mind that the label srcuser, must be decoded to be used, and to be decoded it must be present on the event, otherwise, it can't be used and the alert will not trigger at all.
After looking at the logs provided by you, these do not carry the information that can be decoded to become part of the alert, therefore adding this label would only contribute to stop receiving this alert.
You can read more about the available labels and the rules syntax by visiting this link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-syntax
Should you have further questions let us know!
Have a great day!
Miran Ul Haq
May 15, 2024, 6:47:24 AM5/15/24
to Wazuh | Mailing List
Aah I see.
so basically its the OS events log, not the Wazuh decoder.
Thanks for the help :)
so basically its the OS events log, not the Wazuh decoder.
Thanks for the help :)
Reply all
Reply to author
Forward
0 new messages