On Thu, Jul 20, 2017 at 2:53 PM, Bob Boklewski <[email protected]> wrote: > I have two issues. > > 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an > alert, unless I put it as a local rule. This prebuilt rule should work. > 2. I am trying to monitor successful logins and when testing the rule using > the log below I can get it to produce an alert while in testing, but it > sometimes filters using rule 18107 or sometimes rule 18119. It is random > which rule shows up when testing. Neither ALERT shows up in SQUIL, unless I > build the local rule, then it works. > > I listed the two test that show the different matched rules and the rules in > place, which are the predefined rules that come with ossec. > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An > account was successfully logged on. Subject: Security ID: S-1-5-18 > Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7 > Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM > Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: > {00000000-0000-0000-0000-000000000000} Process Information: Process ID: > 0x38c Process Name: C:\Windows\System32\services.exe Network Information: > Workstation Name: - Source Network Address: - Source Port: - Detailed > Authentication Information: Logon Process: Advapi Authentication > Package: Negotiate Transited Services: - Package Name (NTLM only): - Key > Length: 0 This event is generated when a logon session is created. It is > generated on the computer that was accessed. > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4624' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: 'SYSTEM' > system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > Rule id: '18107' > Level: '3' > Description: 'Windows Logon Success.' > **Alert to be generated. > > OR > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4624' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: 'SYSTEM' > system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > Rule id: '18119' > Level: '3' > Description: 'First time this user logged in this system.' > **Alert to be generated. > > Rules > <rule id="18107" level="3"> > <if_sid>18104</if_sid> > <id>^528$|^540$|^673$|^4624$|^4769$</id> > <description>Windows Logon Success.</description> > <group>authentication_success,</group> > </rule> > > <rule id="18119" level="3"> > <if_sid>18107</if_sid> > <options>alert_by_email</options> > <if_fts /> > <description>First time this user logged in this system.</description> > <group>authentication_success,</group> > </rule> >
The decoder tracks certain fields for "first time use." These ones specifically: <fts>name, location, system_name</fts> If it is the first time the alert is seen with those specific field values, 18119 should fire. After that, assuming the same values, 18107 should be the triggered rule. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
