-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom rule for specific user logon #818
Comments
Hi @lucio2047, This happens because of the operation of the wazuh rules engine.
The interactive login event is captured by the rule with id <rule id="100098" level="12">
<if_sid>60118</if_sid>
<field name="win.eventdata.targetUserName">^test_user$</field>
<description>test_user log in</description>
</rule>
Please let me know if this information is useful to you and don't hesitate to ask. |
Hello juliancnn, thank you very mucha for your help. I am gonna test it as soon as possible. Right now I`m writing another custom rule from 60122 rule in order to detect when user "hello" try to connect to server through RDP without privilege. Following my custom rule: 60122 win_authentication_failed, windows, windows_security hello PRUEBA PARA USUARIO hello alert_by_emailBut nothing happens. When "hello" user try to make a RDP to a server, I only watch 60122 event ID with level 5 (default rule) and obviously email alert is not arrived to my inbox. What is wrong? |
The problem is the When the rdp login fails, an event like the following is generated:
This event triggers an alert in the wazuh manager, and it could be seen from Kibaba in JSON format.
The available fields are inside the json object with Finally, the rule could be like the following. <rule id="100098" level="12">
<if_sid>60122</if_sid>
<field name="win.eventdata.targetUserName">^hello$</field>
<description>RDP: failed login attempt for user hello</description>
</rule> Please let me know if this new rule works |
Yes!,thank you very much. |
You're welcome, if you have new concerns do not hesitate to ask. |
Hello everyone. Thank you for your helping.
Well, I need to generate an alert by email when specific user make a login to system, for example "hello" user.
Current Wazuh configuration generates alert by email for rules with lever 12 or upper. This configuration is present at ossec.conf. But I would like to generate an alert by mail when user "hello" logon to system through logon type 2 (interactive)
What kind of rule should I do? I made a custom rule inside /var/ossec/etc/rules/local_rules.xml like this but it does not work.
When "hello" user logon to system through interactive mode , I watching event like 60122 with level 3 (rule set predefined).
My custom rule:
60122 ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$ ^example$ Windows Logon Failure alert_by_mailThank you very much.
The text was updated successfully, but these errors were encountered: