Unfortunately that didn't work Maarten. After following that logic I am still getting all the email alerts for that account again. And yes, I restarted the OSSEC daemons after adding the rules :-)
However, when I run the log entry against ossec-logtest, it appears to do what I want by matching my overwritten #18180 rule -- yet in reality it still sends an email due to it matching the #18152 composite rule (I'm not sure how to use ossec-logtest to test a composite rule with multiple log entries). Here are the rules I added: <!-- Rewrite rule #18180 to narrow down to bad SQL account and not add the 'win_authentication_failed' group --> <rule id="18180" level="5" overwrite="yes"> <if_sid>18105</if_sid> <id>^18456$</id> <match>Login failed for user 'USERNAME'</match> <group>pci_dss_10.2.4,pci_dss_10.2.5,</group> <description>MS SQL Server Logon Failure for 'dpa' only</description> </rule> <!-- Add new rule to take the place of rule #18180 after matching our bad SQL account --> <rule id="100150" level="5"> <if_sid>18105</if_sid> <id>^18456$</id> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> <description>MS SQL Server Logon Failure for 'dpa' only</description> </rule> Here's the output from ossec-logtest: 2017/11/21 10:31:13 ossec-testrule: INFO: Reading local decoder file. 2017/11/21 10:31:13 ossec-testrule: INFO: Started (pid: 27437). ossec-testrule: Type one log per line. 2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT : nnn.nnn.nnn.nnn] **Phase 1: Completed pre-decoding. full event: '2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]' hostname: 'SERVER' program_name: '(null)' log: '2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '18456' extra_data: 'MSSQLSERVER' dstuser: '(no user)' system_name: 'SERVER' **Phase 3: Completed filtering (rules). Rule id: '18180' Level: '5' Description: 'TEMP NOISE REDUCTION: MS SQL Server Logon Failure for ' USERNAME'' **Alert to be generated. What am I still missing? Any ideas? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.