Hi Angel! In first place, my apologies for the late response.
*"I'm wonder if rule with ID 17101(policy_rules) could also be triggered for events derived from windows agents."* *Yes,* to give you some context: The standard rules are located in */var/ossec/rules *. And, if you want to modify them, you must to do the custom changes in */var/ossec/rules/local_rules.xml* . In second place, the policy rules are disabled by default in */var/ossec/etc/ossec.conf* and therefore you should enable it (if not, you don't have to overwrite the rule, you can only create a new rule in local_rules.xml with any id). So, the steps would be: 1. Uncomment the line *<!-- <include>policy_rules.xml</include> --> *in */var/ossec/etc/ossec.conf* and save the changes 2. Copy the rule you want to modify from the rule file ( */var/ossec/rules/policy_rules.xml)* 3. Paste it in */var/ossec/rules/local_rules.xml* like this (I changed the description only for demonstration purposes): <group name="policy_violation,*windows*,"> <rule id="17101" level="9" *overwrite="yes"*> <if_group>authentication_success</if_group> <time>7 pm - 7:00 am</time> <description>*Description in order to verify the rule*</description> <group>login_time,</group> </rule> </group> 4. Restart OSSEC (*/var/ossec/bin/ossec-control restart*) Starting OSSEC HIDS v3.6.0... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. 5. Finally, I test the rule with your example log and this is what I get: **Phase 3: Completed filtering (rules). Rule id: '17101' Level: '9' Description: 'Description in order to verify the rule' **Alert to be generated. *Plus*: OSSEC reads the logs in */var/log/messages* , so you can write your example log within that file (with the machine time) and checking the file where OSSEC logs the alerts (*/var/ossec/logs/alerts/alerts.log*) in order to verify that the rule is working well. 1. Write your example log into the *messages *file: *echo * *"2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 87*** Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed."* *>>* */var/log/messages* 2. Check the alerts file: *# tail * */var/ossec/logs/alerts/alerts.log *** Alert 1637027681.747: mail - policy_violation,windows,login_time, 2021 Nov 16 01:54:41 centos-manager2->/var/log/messages Rule: 17101 (level 9) -> 'Description in order to verify the rule' Src IP: ::1 User: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$ 2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 87*** Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. ** Alert 1637027686.1978: mail - ossec,rootcheck, 2021 Nov 16 01:54:46 centos-manager2->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/etc/rc.d/init.d/ossec' is owned by root and has write permissions to anyone. Please, let me know if this help, Regards, Mauro Malara. On Friday, October 22, 2021 at 7:46:01 AM UTC-3 Angelos Alevizopoulos wrote: > Hi ossec community, > > I'm wonder if rule with ID 17101(policy_rules) could also be triggered for > events derived from windows agents. I'm testing the following log with > ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets > triggered: > > 2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: > Win2016-1.AD.*****.domain: An account was successfully logged on. > Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - > Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 > Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: > 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process > Information: Process ID: 0x0 Process Name: - Network Information: > Workstation Name: - Source Network Address: ::1 Source Port: 87*** > Detailed Authentication Information: Logon Process: Kerberos > Authentication Package: Kerberos Transited Services: - Package Name (NTLM > only): - Key Length: 0 This event is generated when a logon session is > created. It is generated on the computer that was accessed. > > *ossec-logtest*: > > **Phase 3: Completed filtering (rules). > Rule id: '18107' > Level: '3' > Description: 'Windows Logon Success.' > **Alert to be generated. > > I've tried to add a local rule adapted to the windows group, like below > but with no results: > > <group name="local,windows,"> > > <rule id="100020" level="9"> > <if_group>authentication_success</if_group> > <time>7 pm - 7:00 am</time> > <description>Successful login during non-business hours</description> > <group>login_time,</group> > <options>no_ar</options> > </rule> > > </group> > > I would be grateful for any help > Angel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/5e992c01-2d9b-4d80-a6f5-c5a7472764d1n%40googlegroups.com.