Add field Decoder windows_eventchannel

44 views
Skip to first unread message

phàng tú linh

unread,
Apr 16, 2024, 6:27:16 AMApr 16
to Wazuh | Mailing List
Hi Wazuh Team
I have an event as follows in security Event
I want to add a field called Client IP, how can I do that?
{ "_index": "wazuh-alerts-4.x-2024.04.16", "_id": "x0xq5o4Bth_0QFEHmZPf", "_version": 1, "_score": null, "_source": { "cluster": { "node": "wazuhserverworker", "name": "wazuh" }, "input": { "type": "log" }, "agent": { "ip": "10.10.10.10", "name": "XXXXX-HOST", "id": "009" }, "manager": { "name": "wazuhserverworker" }, "data": { "win": { "eventdata": { "data": "sa, Reason: Password did not match that for the login provided., [CLIENT: 118.118.118.118]", "binary": "184800000E0000000D000000530051004C0032003000310036002D0048004F00530054000000070000006D00610073007400650072000000" }, "system": { "eventRecordID": "111936843", "eventID": "18456", "computer": "XXXXX-HOST.XXXXXX", "task": "4", "keywords": "0x90000000000000", "level": "0", "severityValue": "AUDIT_FAILURE", "channel": "Application", "message": "\"Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 118.118.118.118  ]\"", "systemTime": "2024-04-16T10:18:48.122741800Z", "providerName": "XXXXXSERVER"
"Client IP":  "118.118.118.118"   } } }, "rule": { "firedtimes": 5710, "mail": false, "level": 5, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.2.4", "10.2.5" ], "tsc": [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "MS SQL server logon failure.", "groups": [ "windows", "windows_application", "authentication_failed" ], "id": "61071", "nist_800_53": [ "AC.7", "AU.14" ], "gdpr": [ "IV_32.2", "IV_35.7.d" ], "gpg13": [ "7.1" ] }, "location": "EventChannel", "decoder": { "name": "windows_eventchannel" }, "id": "1713262728.483813893", "timestamp": "2024-04-16T10:18:48.218+0000" }, "fields": { "timestamp": [ "2024-04-16T10:18:48.218Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@" ], "rule.groups": [ "@opensearch-dashboards-highlighted-field@authentication_failed@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1713262728218 ] } Thank For Team

Obinna Uchubilo

unread,
Apr 17, 2024, 3:55:41 AMApr 17
to Wazuh | Mailing List
Hello,

Thanks for using Wazuh!

Can you clarify what you intend to do?

Regards

phàng tú linh

unread,
Apr 17, 2024, 4:10:28 AMApr 17
to Wazuh | Mailing List
Hi Wazuh Team
I receive a large number of Login failed events as sent, I want to filter out which IPs created that amount of logs. My intention is to create a CLIENT IP field to be able to filter out these IPs
Regards
Vào lúc 14:55:41 UTC+7 ngày Thứ Tư, 17 tháng 4, 2024, Obinna Uchubilo đã viết:

Obinna Uchubilo

unread,
Apr 17, 2024, 10:04:11 AMApr 17
to Wazuh | Mailing List
Hello Phang,

From your statement, I believe you want to limit the number of alerts you get when the offender is from a single client IP. I will suggest that you create a custom rule and set the frequency and the field data to monitor. For more information check documentation on using <same_field> and frequency in creating custom rules.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field

Regards
Reply all
Reply to author
Forward
0 new messages