I am currently using OpenSearch (2.6.0), installed using Docker Compose. I have a local active directory setup & ingested the logs using winlogbeat. I am trying to create a detector & custom rules to work with AD logs.
I created a detector with log type ad_ldap.
I mapped EventID with winlog.event_id.
{
"adlogs-*": {
"mappings": {
"properties": {
"timestamp": {
"type": "alias",
"path": "@timestamp"
},
"EventID": {
"type": "alias",
"path": "winlog.event_id"
}
}
}
}
}
I created a custom rule to trigger alerts when I get the events 4634, 4672, 4624
id: wu9bNIcBdlmJg7N0QOcI
logsource:
product: ad_ldap
title: Sample Alert
description: Detects EventID 4634 or 4672 or 4624
tags:
- attack.persistence
- attack.t1546.003
falsepositives:
- Exclude legitimate (vetted) use of WMI event subscription in your network
level: medium
status: stable
references: []
author: Kagamee
detection:
selection:
EventID:
- 4634
- 4672
- 4624
condition: selection
The log being shipped by winlogbeat is
{
"@timestamp": "2023-03-30T21:40:21.751Z",
"message": "",
"ecs": {
"version": "1.8.0"
},
"agent": {
"hostname": "pdc",
"ephemeral_id": "64521a4c-ff1a-4814-9ceb-f208c4e3c266",
"id": "6e62be3a-4bd6-4d68-b7bd-7756187357fe",
"name": "pdc",
"type": "winlogbeat",
"version": "7.12.1"
},
"winlog": {
"api": "wineventlog",
"computer_name": "pdc.domain.local",
"opcode": "Info",
"event_id": 4634,
"provider_name": "Microsoft-Windows-Security-Auditing",
"event_data": {
"TargetUserName": "PDC$",
"TargetDomainName": "DOMAIN",
"TargetLogonId": "0x287ed78",
"LogonType": "3",
"TargetUserSid": "S-1-5-18"
}
}
}
The problem is, I do not see any alerts / findings despite the logs being shipped continuously.
Can anyone please help me figure out any steps that I am missing? (or) how do I debug/troubleshoot the issue? Is it in the rule? mapping?
I have looked through the log messages of OpenSearch nodes. This is what I find:
[2023-03-30T22:38:31,699][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts/E1l5udd4SlOkrAyYr7302g]
[2023-03-30T22:38:31,710][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts-history-2023.03.28-1/gFWYAyN9RXunxV9br030tQ]
[2023-03-30T22:38:31,719][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-findings-2023.03.28-1/2lxVZSzeS1Ono89qdOPiCg]
[2023-03-30T22:38:31,740][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-detectors-queries-000002/s-D6HSrsSPq_jEMHWprsrg]
[2023-03-30T22:38:32,534][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts/E1l5udd4SlOkrAyYr7302g]
[2023-03-30T22:38:32,547][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts-history-2023.03.28-1/gFWYAyN9RXunxV9br030tQ]
[2023-03-30T22:38:32,554][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-findings-2023.03.28-1/2lxVZSzeS1Ono89qdOPiCg]
[2023-03-30T22:38:32,568][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-detectors-queries-000002/s-D6HSrsSPq_jEMHWprsrg]
[2023-03-30T22:38:42,372][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts/E1l5udd4SlOkrAyYr7302g]
[2023-03-30T22:38:42,386][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts-history-2023.03.28-1/gFWYAyN9RXunxV9br030tQ]
[2023-03-30T22:38:42,394][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-findings-2023.03.28-1/2lxVZSzeS1Ono89qdOPiCg]
[2023-03-30T22:38:42,405][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-detectors-queries-000002/s-D6HSrsSPq_jEMHWprsrg]
[2023-03-30T22:38:52,720][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts/E1l5udd4SlOkrAyYr7302g]
[2023-03-30T22:38:52,730][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-alerts-history-2023.03.28-1/gFWYAyN9RXunxV9br030tQ]
[2023-03-30T22:38:52,739][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-findings-2023.03.28-1/2lxVZSzeS1Ono89qdOPiCg]
[2023-03-30T22:38:52,749][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-network-detectors-queries-000002/s-D6HSrsSPq_jEMHWprsrg]
[2023-03-30T22:39:20,330][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-ad_ldap-alerts/1HoWogLYQbCmlrrTZ3y7Yw]
[2023-03-30T22:39:20,339][INFO ][o.o.a.a.AlertIndices ] [opensearch-node4] Index mapping of .opensearch-sap-ad_ldap-alerts is updated
[2023-03-30T22:39:20,342][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-ad_ldap-alerts-history-2023.03.30-1/8n3rrRZJTViXbtrI4eyPuQ]
[2023-03-30T22:39:20,346][INFO ][o.o.a.a.AlertIndices ] [opensearch-node4] Index mapping of .opensearch-sap-ad_ldap-alerts-history-2023.03.30-1 is updated
[2023-03-30T22:39:20,349][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-ad_ldap-findings-2023.03.30-1/IVKrhYcFTHKLW_bL-0doGg]
[2023-03-30T22:39:20,352][INFO ][o.o.a.a.AlertIndices ] [opensearch-node4] Index mapping of .opensearch-sap-ad_ldap-findings-2023.03.30-1 is updated
[2023-03-30T22:39:20,359][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-ad_ldap-detectors-queries-000001/xmzNUheXR4iUEdtDtJuLmA]
[2023-03-30T22:39:20,400][INFO ][o.o.p.PluginsService ] [opensearch-node4] PluginService:onIndexModule index:[.opensearch-sap-ad_ldap-detectors-queries-000001/xmzNUheXR4iUEdtDtJuLmA]