Hi
On Friday, October 22, 2021 at 7:46:01 AM UTC-3 Angelos Alevizopoulos wrote:
> Hi ossec community,
>
> I'm wonder if rule with ID 17101(policy_rules) could also be triggered for
> events derived from windows agents. I'm testing the following log with
> ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets
> triggered:
>
> 2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN:
> Win2016-1.AD.*****.domain: An account was successfully logged on.
> Subject: Security ID: S-1-0-0 Account Name: - Account Domain: -
> Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18
> Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID:
> 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process
> Information: Process ID: 0x0 Process Name: - Network Information:
> Workstation Name: - Source Network Address: ::1 Source Port: 87***
> Detailed Authentication Information: Logon Process: Kerberos
> Authentication Package: Kerberos Transited Services: - Package Name (NTLM
> only): - Key Length: 0 This event is generated when a logon session is
> created. It is generated on the computer that was accessed.
>
> *ossec-logtest*:
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18107'
> Level: '3'
> Description: 'Windows Logon Success.'
> **Alert to be generated.
>
> I've tried to add a local rule adapted to the windows group, like below
> but with no results:
>
> <group name="local,windows,">
>
> <rule id="100020" level="9">
> <if_group>authentication_success</if_group>
> <time>7 pm - 7:00 am</time>
> <description>Successful login during non-business hours</description>
> <group>login_time,</group>
> <options>no_ar</options>
> </rule>
>
> </group>
>
> I would be grateful for any help
> Angel
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/772cba3d-ddc3-4b72-8c0f-05401755a04bn%40googlegroups.com.
