Here is the alert after I changed rule 18104 to level "3" from level "0". Prior to that this event would not trigger.
** Alert 1351792038.4533975: mail - windows,adduser,account_changed, 2012 Nov 01 17:47:18 (Tom_Win_Malware) any->WinEvtLog Rule: 18110 (level 8) -> 'User account enabled or created.' User: (no user) WinEvtLog: Security: AUDIT_SUCCESS(4722): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: A user account was enabled. Subject: Security ID: S-1-5-21-8003351 43-1878524036-1083337731-1000 Account Name: secarch Account Domain: mydomain Logon ID: 0x1ab61 Target Account: Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account Name: Bonehead Account Domain: mydomain On Thu, Nov 1, 2012 at 2:50 PM, dan (ddp) <[email protected]> wrote: > On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> wrote: > > I am somewhat new to OSSEC so be nice, PLEASE! :) > > > > I am not quite understanding why a ID: 4720 would not hit my alert log > based > > on the below rules. As soon as I change rule id 18104's alert level to > > something other than 0 she alerts. I was under the impression that the > > if_sid statement is true it continues into the rule. So based on the > > windows security event. the audit was a success and category is windows > it > > should have triggered based on these rules. Like I said as soon as I > change > > the 18104 rule to lets say level 4 she worked. Let me know if you need > > additional information, but is there someplace else I need to look or > maybe > > I missing something? THANKS.. > > > > NOTE: A 4720 is user account was created and was a success. Keywords: > > Audit Success > > > > > > <rule id="18100" level="0"> > > <category>windows</category> > > <description>Group of windows rules.</description> > > </rule> > > > > <rule id="18104" level="0"> > > <if_sid>18100</if_sid> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > <rule id="18110" level="8"> > > <if_sid>18104</if_sid> > > <id>^624|^626|^645|^4720|^4722|^4741</id> > > <description>User account enabled or created.</description> > > <group>adduser,account_changed,</group> > > </rule> > > > > > > -- > > Tom O'Brion > > Twitter: @tobrion > > > > "Life is too short to spend time with people who suck the happy out of > you." > > > > Can you provide a log sample? And what worked? You got a 18110 alert? > -- Tom O'Brion Twitter: @tobrion Skype: TomOBrion "Life is too short to spend time with people who suck the happy out of you."
