Open ozgursuder opened 3 years ago
Molter73
commented
3 years ago Hi @ozgursuder
Are you referring to the first line of the mail showing \r\n instead of breaking the line? Those characters are part of the win.system.message field which is a string and where escaped in order to keep a valid json object, as such, this is not an error but the intended beheviour.
ozgursuder
commented
3 years ago I'm not applying anywhere.
In the default email alert section, the mail comes like this and I see that the mail is not fully fragmented here. normally I think it should have arrived properly as at the end of the email. ex: win.system.eventRecordID: 3364374310 win.system.processID: 716 win.system.threadID: 2796 win.system.channel: Security
However, in the email alert I received, many parts of the email correspond.
eg: {"win": {"system": {"providerName": "Microsoft-Windows-Security-Auditing", "providerGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "eventID": " 4771 "," version ":" 0 "," level ":" 0 "," task ":" 14339 "," opcode ":" 0 "," keywords ":" 0x8010000000000000 ","
Molter73
commented
3 years ago The first line in email alerts is always the full log line as received by the Wazuh manager, in this alert the original log was the following json object:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4771","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8010000000000000","systemTime":"2020-09-22T13:54:30.675528500Z","eventRecordID":"3364220266","processID":"716","threadID":"1248","channel":"Security","computer":"xxx.local","severityValue":"AUDIT_FAILURE","message":""Kerberos pre-authentication failed.\r\n\r\nAccount Information:\r\n\tSecurity ID:\t\tS-1-5-21-1454471165-1532298954-725345543-500\r\n\tAccount Name:\t\tAdministrator\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt/xx\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tFailure Code:\t\t0x18\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number: \t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\r\n\r\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.""},"eventdata":{"targetUserName":"Administrator","targetSid":"S-1-5-21-1454471165-1532298954-725345543-500","serviceName":"krbtgt/...","ticketOptions":"0x40810010","status":"0x18","preAuthType":"2","ipAddress":"::1","ipPort":"0"}}}After the full log is printed, the mail adds some of the fields extracted from it, this corresponds to the following lines:
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
win.system.eventID: 4771
win.system.version: 0
win.system.level: 0
win.system.task: 14339
win.system.opcode: 0
win.system.keywords: 0x8010000000000000
win.system.systemTime: 2020-09-22T13:54:30.675528500Z
win.system.eventRecordID: 3364220266
win.system.processID: 716
win.system.threadID: 1248
win.system.channel: Security
win.system.computer: xxxx.local
win.system.severityValue: AUDIT_FAILURE
win.system.message: "Kerberos pre-authentication failed.In other words, the "many parts" of the email which you see in the begining of the alert is simply the json object recieved by the Wazuh manager from Windows EventChannel, the "fragmented" part of the mail is some of the fields extracted by the manager.
ozgursuder
commented
3 years ago Well, is there a method to break it up?
because the important part to me is there
In this way, it is difficult to find the error user or ip address for your mail.
Molter73
commented
3 years ago You can try changing the <email_log_source> from alerts.log to alerts.json in your manager. This will cause all email alerts to be in json format but will be formatted, it should help improve readability of this type of alert.
You can find this configuration under the <global> section of your ossec.conf file, it should look something like this:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.json</email_log_source>
</global>inside the incoming email alert information
Previous_output: and Message: I wonder if I have a chance to delete this information
ozgursuder
commented
3 years ago Frankly, I closed this problem with elastalert.
I arranged the content of the incoming mail as I wanted, and the incoming email became more understandable and simple. I hope wazuh will allow us to customize the email alert in the next version.
Molter73
commented
3 years ago I'm sorry to hear you were not able to get the desired results from using Wazuh's mail module. We are aware it has some short comings and, as with all of our software, we will continue working to keep improving it. We will take your comments into account for later iterations of maild.
ozgursuder
commented
3 years ago at least in the local rule email alert part as suggestion A simple change can be made as follows. Optionally filter can be applied
rule id = "60122" level = "5" if_sid 60105 /if_sid field name = "win.system.eventID"> ^ 529 $ | ^ 4625 $ /field description Logon Failure - Unknown User or Bad Password /description options no_full_log /options options alert_by_email /options email alert_text_args win.eventdata.targetUserName win.eventdata.ipAddress win.system.eventID group win_authentication_failed, pci_dss_10.2.4, pci_dss_10.2.5, gpg13_7.1, gdpr_IV_35.7.d, gdpr_IV_32.2, hipaa_164.312.b, nist_800_53_AU.14, nist_800_53_AC6.8, tscCC.8 .2, tsc_CC7.3, /group /rule
It doesn't exactly break the mail in the email alert section
Wazuh Notification. I wonder why this problem may be caused by
Received From: (DC) 0.0.0.20->EventChannel Rule: 100002 fired (level 15) -> "Logon Failure - Unknown User or Bad Password" Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4771","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8010000000000000","systemTime":"2020-09-22T13:54:30.675528500Z","eventRecordID":"3364220266","processID":"716","threadID":"1248","channel":"Security","computer":"xxx.local","severityValue":"AUDIT_FAILURE","message":"\"Kerberos pre-authentication failed.\r\n\r\nAccount Information:\r\n\tSecurity ID:\t\tS-1-5-21-1454471165-1532298954-725345543-500\r\n\tAccount Name:\t\tAdministrator\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt/xx\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tFailure Code:\t\t0x18\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number: \t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\r\n\r\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\""},"eventdata":{"targetUserName":"Administrator","targetSid":"S-1-5-21-1454471165-1532298954-725345543-500","serviceName":"krbtgt/...","ticketOptions":"0x40810010","status":"0x18","preAuthType":"2","ipAddress":"::1","ipPort":"0"}}} win.system.providerName: Microsoft-Windows-Security-Auditing win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D} win.system.eventID: 4771 win.system.version: 0 win.system.level: 0 win.system.task: 14339 win.system.opcode: 0 win.system.keywords: 0x8010000000000000 win.system.systemTime: 2020-09-22T13:54:30.675528500Z win.system.eventRecordID: 3364220266 win.system.processID: 716 win.system.threadID: 1248 win.system.channel: Security win.system.computer: xxxx.local win.system.severityValue: AUDIT_FAILURE win.system.message: "Kerberos pre-authentication failed.