Hello Group and Guru's,
I'm fairly new to configuring OSSEC; I have been using it as an analyst
from Kibana and the web interface.
My question is similar to what another user posted in that I would like to
monitor after hours logins, however I'm having a lot of false positives
with a service account logging in and generating errors so is there a way
to create the rule below and have it only apply to regular staff logins,
but exclude service account logins. On the hand I realize there could be
situations where an attacker is going after service accounts, so maybe I
should use the below, and narrow my searches in the Kibana interface,
This was from another users suggestions.
<rule id="500000" level="10">
<if_group>authentication</if_group>
<time>6 pm - 9 am</time>
<description>Login after hours</description>
</rule>
I need a step-by-step to get this rule up and running, I've never created a
new rule in OSSEC before. How would I create it and look for it in Kibana
and the web interface?
Thanks for any of the Guru wisdom, it's very appreciated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
