Need to trigger Windows Logon Success rule id 18107 once(avoid multiple logs) using Logon type 3

[shahmilan34]

Need to detect windows login using logontype 3 because wazuh agent is installed on windows AD. Can't use #295 solution as it need to install wazuh agent on more than thousands of workstation on production system.

Windows Agent config:

wazuh-agent v3.8.2 On windows AD

windows 8Wazuh-Manager config:

centos 7 wazuh-manager v3.8.2

[cristgl]

Hello @shahmilan34,

Can you try out the next rules?

  <rule id="25000" level="0">
    <if_sid>18107</if_sid>
    <match>Logon Type: 3</match>
    <description>Windows Logon Type 3 Success</description>
    <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
  </rule>

  <rule id="25001" level="3" frequency="2" ignore="30">
    <if_sid>25000</if_sid>
    <description>Windows Logon Success</description>
    <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
  </rule>

The first one is child of 18107, and has an alert level of 0, which means it won't generate any alert at your alerts.log file. The second one, child of 25000, has the frequency and ignore options, when 2 events (frequency="2") matching the rule 25000 are generated, the rule 25001 will trigger once and won't trigger again until 30 seconds later (ignore="30").

[shahmilan34]

Hello @cristgl , if 3 user will login at same time, above mentioned rule will trigger only once(Need 3 different alert as there are 3 users)

[cristgl]

Hello @shahmilan34,

For differentiating between different users, the second rule (25001) would only need to have the <same_user /> option, this will cause only events of logon type 3 of the same user to be alerted once and ignored the next times until 30 seconds later (you can also change this value to your liking), but won't ignore other user's events. I hope this can help you and solve this problem.

Best regards, Cristina

[shahmilan34]

Hello @cristgl ,

Tried using with ignore but it's ignoring other user's events.