On Wed, Feb 27, 2019 at 1:16 PM <[email protected]> wrote: > > I have been trying to write some rules for suppressing service account > network logons because they cause too much noise and are taking up a large > portion of our Splunk license. > > Here is the rule I wrote: > > <rule id="181070" level="0"> > <if_sid>18107</if_sid> > <id>^4624$</id> > <user>^svc_</user> > <match>Logon Type: 3</match> > <description>Ignore svc account network logons</description> > </rule> > > This rule has been eliminating most of the logon alerts but not all. so when > I looked in /var/ossec/logs/alerts/... I saw alerts that looked like: > #specific information has been changed for security purposes > > ** Alert 1551290099.295331: - windows,authentication_success, > 2019 Feb 27 09:54:59 (server_name) 172.0.0.0->WinEvtLog > Rule: 18107 (level 3) -> 'Windows Logon Success.' > Src IP: 172.0.0.0 > User: - > 2019 Feb 27 09:56:10 WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: svc_account: DOMAIN.COMPANY.COM: > server_name.domain.company.com: An account was successfully logged on. > Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon > ID: 0x0 Logon Type: 3 New Logon: Security ID: > S-1-5-21-601235460-1198158354-314601362-9378 Account Name: svc_account > Account Domain: DOMAIN.COMPANY.COM Logon ID: 0x22d8656 Logon GUID: > {6B2C5C06-765A-8520-F93E-34F2752D5A48} Process Information: Process ID: > 0x0 Process Name: - Network Information: Workstation Name: - Source > Network Address: 172.0.0.0 Source Port: 12345 Detailed Authentication > Information: Logon Process: Kerberos Authentication Package: Kerberos > Transited Services: - Package Name (NTLM only): - Key Length: 0 This > event is generated when a logon session is created. It is generated on the > computer that was accessed. > > So my initial thought is that because this has no user its not matching > correctly. I also have another rules for svc account logoffs that's nearly > identical to the one above and working 100%. I'm trying to understand why its > not finding a user when above you can see on the 2nd line "Account Name: > svc_account". I dug a bit into the windows decoder on the github repo: > > <decoder name="windows1"> > <type>windows</type> > <parent>windows</parent> > <regex> Account Name:\s+(\w+\.+)\s+Account</regex> > <order>user</order> > </decoder> > > My question is, does the decoder only match the first "Account Name: " which > is on the first line? Does anyone know a way to work around this and still > match these service accounts? >
Yes, it does. I'm hoping to get a chance to mess with the Windows decoder after the dynamic decoder pull request gets merged, but all of that requires free time. You could try adding: <match> Account Name: svc_</match> to a rule to see if that catches the rest. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
