Hi ossec community,
I'm wonder if rule with ID 17101(policy_rules) could also be triggered for
events derived from windows agents. I'm testing the following log with
ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets
triggered:
2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN:
Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:
Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID:
0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name:
WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325
Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information:
Process ID: 0x0 Process Name: - Network Information: Workstation Name:
- Source Network Address: ::1 Source Port: 87*** Detailed
Authentication Information: Logon Process: Kerberos Authentication
Package: Kerberos Transited Services: - Package Name (NTLM only): - Key
Length: 0 This event is generated when a logon session is created. It is
generated on the computer that was accessed.
*ossec-logtest*:
**Phase 3: Completed filtering (rules).
Rule id: '18107'
Level: '3'
Description: 'Windows Logon Success.'
**Alert to be generated.
I've tried to add a local rule adapted to the windows group, like below but
with no results:
<group name="local,windows,">
<rule id="100020" level="9">
<if_group>authentication_success</if_group>
<time>7 pm - 7:00 am</time>
<description>Successful login during non-business hours</description>
<group>login_time,</group>
<options>no_ar</options>
</rule>
</group>
I would be grateful for any help
Angel
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/8732fb42-d05f-42c6-9945-f29021d19116n%40googlegroups.com.
