I have been trying to write some rules for suppressing service account
network logons because they cause too much noise and are taking up a large
portion of our Splunk license.
Here is the rule I wrote:
<rule id="181070" level="0">
<if_sid>18107</if_sid>
<id>^4624$</id>
<user>^svc_</user>
<match>Logon Type: 3</match>
<description>Ignore svc account network logons</description>
</rule>
This rule has been eliminating most of the logon alerts but not all. so
when I looked in /var/ossec/logs/alerts/... I saw alerts that looked like:
#specific information has been changed for security purposes
** Alert 1551290099.295331: - windows,authentication_success,
2019 Feb 27 09:54:59 (server_name) 172.0.0.0->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
Src IP: 172.0.0.0
User: -
2019 Feb 27 09:56:10 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: svc_account: DOMAIN.COMPANY.COM:
server_name.domain.company.com: An account was successfully logged on.
Subject: Security ID: S-1-0-0 Account Name: - Account Domain: -
Logon ID: 0x0 Logon Type: 3 New Logon: Security ID:
S-1-5-21-601235460-1198158354-314601362-9378 Account Name: svc_account
Account Domain: DOMAIN.COMPANY.COM Logon ID: 0x22d8656 Logon GUID:
{6B2C5C06-765A-8520-F93E-34F2752D5A48} Process Information: Process ID:
0x0 Process Name: - Network Information: Workstation Name: - Source
Network Address: 172.0.0.0 Source Port: 12345 Detailed Authentication
Information: Logon Process: Kerberos Authentication Package: Kerberos
Transited Services: - Package Name (NTLM only): - Key Length: 0 This
event is generated when a logon session is created. It is generated on the
computer that was accessed.
So my initial thought is that because this has no user its not matching
correctly. I also have another rules for svc account logoffs that's nearly
identical to the one above and working 100%. I'm trying to understand why
its not finding a user when above you can see on the 2nd line "Account
Name: svc_account". I dug a bit into the windows decoder on the github
repo:
<decoder name="windows1">
<type>windows</type>
<parent>windows</parent>
<regex> Account Name:\s+(\w+\.+)\s+Account</regex>
<order>user</order>
</decoder>
My question is, does the decoder only match the first "Account Name: "
which is on the first line? Does anyone know a way to work around this and
still match these service accounts?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
