Hi ossec community, I'm wonder if rule with ID 17101(policy_rules) could also be triggered for events derived from windows agents. I'm testing the following log with ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets triggered:
2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 87*** Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. *ossec-logtest*: **Phase 3: Completed filtering (rules). Rule id: '18107' Level: '3' Description: 'Windows Logon Success.' **Alert to be generated. I've tried to add a local rule adapted to the windows group, like below but with no results: <group name="local,windows,"> <rule id="100020" level="9"> <if_group>authentication_success</if_group> <time>7 pm - 7:00 am</time> <description>Successful login during non-business hours</description> <group>login_time,</group> <options>no_ar</options> </rule> </group> I would be grateful for any help Angel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8732fb42-d05f-42c6-9945-f29021d19116n%40googlegroups.com.