Add field Decoder windows_eventchannel
49 views
Skip to first unread message
phàng tú linh
Apr 16, 2024, 6:27:16 AMApr 16
to Wazuh | Mailing List
Hi Wazuh Team
I have an event as follows in security Event
I want to add a field called Client IP, how can I do that?
I want to add a field called Client IP, how can I do that?
{
"_index": "wazuh-alerts-4.x-2024.04.16",
"_id": "x0xq5o4Bth_0QFEHmZPf",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "wazuhserverworker",
"name": "wazuh"
},
"input": {
"type": "log"
},
"agent": {
"ip": "10.10.10.10",
"name": "XXXXX-HOST",
"id": "009"
},
"manager": {
"name": "wazuhserverworker"
},
"data": {
"win": {
"eventdata": {
"data": "sa, Reason: Password did not match that for the login provided., [CLIENT: 118.118.118.118]",
"binary": "184800000E0000000D000000530051004C0032003000310036002D0048004F00530054000000070000006D00610073007400650072000000"
},
"system": {
"eventRecordID": "111936843",
"eventID": "18456",
"computer": "XXXXX-HOST.XXXXXX",
"task": "4",
"keywords": "0x90000000000000",
"level": "0",
"severityValue": "AUDIT_FAILURE",
"channel": "Application",
"message": "\"Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT:
118.118.118.118 ]\"",
"systemTime": "2024-04-16T10:18:48.122741800Z",
"providerName": "XXXXXSERVER"
"Client IP": "118.118.118.118"
}
}
},
"rule": {
"firedtimes": 5710,
"mail": false,
"level": 5,
"hipaa": [
"164.312.b"
],
"pci_dss": [
"10.2.4",
"10.2.5"
],
"tsc": [
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "MS SQL server logon failure.",
"groups": [
"windows",
"windows_application",
"authentication_failed"
],
"id": "61071",
"nist_800_53": [
"AC.7",
"AU.14"
],
"gdpr": [
"IV_32.2",
"IV_35.7.d"
],
"gpg13": [
"7.1"
]
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1713262728.483813893",
"timestamp": "2024-04-16T10:18:48.218+0000"
},
"fields": {
"timestamp": [
"2024-04-16T10:18:48.218Z"
]
},
"highlight": {
"cluster.name": [
"@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@"
],
"rule.groups": [
"@opensearch-dashboards-highlighted-field@authentication_failed@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1713262728218
]
}
Thank For Team
Obinna Uchubilo
Apr 17, 2024, 3:55:41 AMApr 17
to Wazuh | Mailing List
Hello,
Thanks for using Wazuh!
Can you clarify what you intend to do?
Regards
Thanks for using Wazuh!
Can you clarify what you intend to do?
Regards
phàng tú linh
Apr 17, 2024, 4:10:28 AMApr 17
to Wazuh | Mailing List
Hi Wazuh Team
I receive a large number of Login failed events as sent, I want to filter out which IPs created that amount of logs. My intention is to create a CLIENT IP field to be able to filter out these IPs
Regards
I receive a large number of Login failed events as sent, I want to filter out which IPs created that amount of logs. My intention is to create a CLIENT IP field to be able to filter out these IPs
Regards
Vào lúc 14:55:41 UTC+7 ngày Thứ Tư, 17 tháng 4, 2024, Obinna Uchubilo đã viết:
Obinna Uchubilo
Apr 17, 2024, 10:04:11 AMApr 17
to Wazuh | Mailing List
Hello Phang,
From your statement, I believe you want to limit the number of alerts you get when the offender is from a single client IP. I will suggest that you create a custom rule and set the frequency and the field data to monitor. For more information check documentation on using <same_field> and frequency in creating custom rules.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field
From your statement, I believe you want to limit the number of alerts you get when the offender is from a single client IP. I will suggest that you create a custom rule and set the frequency and the field data to monitor. For more information check documentation on using <same_field> and frequency in creating custom rules.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field
Regards
Reply all
Reply to author
Forward
0 new messages