Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix logon alerts triggering #304

Merged
merged 3 commits into from
Mar 4, 2019
Merged

Fix logon alerts triggering #304

merged 3 commits into from
Mar 4, 2019

Conversation

cristgl
Copy link
Contributor

@cristgl cristgl commented Feb 26, 2019

This PR solves the issue #298 for Windows eventchannel. There is a new rule that checks if fields workstation name, IP address and IP port exist.

@cristgl cristgl mentioned this pull request Feb 26, 2019
Closed
@chemamartinez
Copy link
Contributor

chemamartinez commented Feb 26, 2019
edited
Loading

Let me propose a more specific rule for this purpose.

Regarding the event posted here and the Windows event 4624 described here:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

We can use the logonType to determine it is a physical logon.

chemamartinez
chemamartinez suggested changes Feb 26, 2019
View reviewed changes
rules/0220-msauth_rules.xml Outdated
@@ -1160,6 +1160,16 @@
<options>no_full_log</options>
</rule>

<rule id="20021" level="3">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This alert can make the alert 20019 to not appear when a user is logged physically for the first time in the system. I would change their order.

rules/0220-msauth_rules.xml Outdated
@@ -1160,6 +1160,16 @@
<options>no_full_log</options>
</rule>

<rule id="20021" level="3">
<if_sid>20007</if_sid>
<field name="EventChannel.EventData.WorkstationName">\.+</field>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old field names.

@chemamartinez chemamartinez merged commit 0519a2c into 3.9 Mar 4, 2019
@chemamartinez chemamartinez deleted the fix-duplicate-logon-alerts branch March 4, 2019 11:46
@chemamartinez chemamartinez mentioned this pull request May 8, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cristgl @chemamartinez