Thank you Dan, Another question, can I have more than 1 match string as shown below
<rule id="181070" level="0"> <if_sid>18107</if_sid> <id>^4624$</id> <match>Account Name: svc_</match> <match>Logon Type: 3</match> <description>Ignore svc account network logons</description> </rule> This rule isn't firing correctly either. I'm aware that | exists as a logical OR but I'm trying to do a logical AND On Wednesday, February 27, 2019 at 10:20:00 AM UTC-8, dan (ddpbsd) wrote: > > On Wed, Feb 27, 2019 at 1:16 PM <[email protected] <javascript:>> wrote: > > > > I have been trying to write some rules for suppressing service account > network logons because they cause too much noise and are taking up a large > portion of our Splunk license. > > > > Here is the rule I wrote: > > > > <rule id="181070" level="0"> > > <if_sid>18107</if_sid> > > <id>^4624$</id> > > <user>^svc_</user> > > <match>Logon Type: 3</match> > > <description>Ignore svc account network logons</description> > > </rule> > > > > This rule has been eliminating most of the logon alerts but not all. so > when I looked in /var/ossec/logs/alerts/... I saw alerts that looked like: > #specific information has been changed for security purposes > > > > ** Alert 1551290099.295331: - windows,authentication_success, > > 2019 Feb 27 09:54:59 (server_name) 172.0.0.0->WinEvtLog > > Rule: 18107 (level 3) -> 'Windows Logon Success.' > > Src IP: 172.0.0.0 > > User: - > > 2019 Feb 27 09:56:10 WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: svc_account: DOMAIN.COMPANY.COM: > server_name.domain.company.com: An account was successfully logged on. > Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - > Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: > S-1-5-21-601235460-1198158354-314601362-9378 Account Name: svc_account > Account Domain: DOMAIN.COMPANY.COM Logon ID: 0x22d8656 Logon GUID: > {6B2C5C06-765A-8520-F93E-34F2752D5A48} Process Information: Process ID: > 0x0 Process Name: - Network Information: Workstation Name: - Source > Network Address: 172.0.0.0 Source Port: 12345 Detailed Authentication > Information: Logon Process: Kerberos Authentication Package: Kerberos > Transited Services: - Package Name (NTLM only): - Key Length: 0 This > event is generated when a logon session is created. It is generated on the > computer that was accessed. > > > > So my initial thought is that because this has no user its not matching > correctly. I also have another rules for svc account logoffs that's nearly > identical to the one above and working 100%. I'm trying to understand why > its not finding a user when above you can see on the 2nd line "Account > Name: svc_account". I dug a bit into the windows decoder on the github > repo: > > > > <decoder name="windows1"> > > <type>windows</type> > > <parent>windows</parent> > > <regex> Account Name:\s+(\w+\.+)\s+Account</regex> > > <order>user</order> > > </decoder> > > > > My question is, does the decoder only match the first "Account Name: " > which is on the first line? Does anyone know a way to work around this and > still match these service accounts? > > > > Yes, it does. I'm hoping to get a chance to mess with the Windows > decoder after the dynamic decoder pull request gets merged, but all of > that requires free time. > You could try adding: > <match> Account Name: svc_</match> > to a rule to see if that catches the rest. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
