[ossec-list] Re: Policy violation - windows login events

Tue, 16 Nov 2021 07:06:59 -0800 

Hi

On Friday, October 22, 2021 at 7:46:01 AM UTC-3 Angelos Alevizopoulos wrote:

> Hi ossec community,
>
> I'm wonder if rule with ID 17101(policy_rules) could also be triggered for 
> events derived from windows agents. I'm testing the following log with 
> ossec-logtest but only  the rule with ID 18107(ms_auth_rules) gets 
> triggered:
>
> 2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624): 
> Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: 
> Win2016-1.AD.*****.domain: An account was successfully logged on. 
> Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  
> Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-18  
> Account Name:  WIN2016-1$  Account Domain:  AD.*****.DOMAIN  Logon ID:  
> 0x7effdf27325  Logon GUID:  {BB6F5B99-2E84-D711-F3ED-2D759EA2B180}  Process 
> Information:  Process ID:  0x0  Process Name:  -  Network Information:  
> Workstation Name: -  Source Network Address: ::1  Source Port:  87***  
> Detailed Authentication Information:  Logon Process:  Kerberos  
> Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM 
> only): -  Key Length:  0  This event is generated when a logon session is 
> created. It is generated on the computer that was accessed.
>
> *ossec-logtest*:
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18107'
>        Level: '3'
>        Description: 'Windows Logon Success.'
> **Alert to be generated.
>
> I've tried to add a local rule adapted to the windows group, like below 
> but with no results: 
>
> <group name="local,windows,">
>
>   <rule id="100020" level="9">
>     <if_group>authentication_success</if_group>
>     <time>7 pm - 7:00 am</time>
>     <description>Successful login during non-business hours</description>
>     <group>login_time,</group>
>     <options>no_ar</options>
>   </rule>
>
> </group>
>
> I would be grateful for any help
> Angel
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/772cba3d-ddc3-4b72-8c0f-05401755a04bn%40googlegroups.com.

Reply via email to