alert triger by label or by group name

[Serano Tomas]

Please help me,

I created a group called "linux" in which I added 10 agents with linux
then I put the label: linux on that group

I want an alert to be raised when someone from this group uses the "rm" command or "mkdir" , is this possible?

I mention that in discovery I find a log with agent.labels.group: linux and data.audit.command: rm


<agent_config>
<!-- Shared agent configuration here -->
<labels>
<label key="grup">linux</label>
</labels>
</agent_config>

[Md. Nazmur Sakib]

Hi Serano Tomas,

Hope you are doing well. Thank you for using Wazuh.

Unfortunately, it is not possible to filter rules by agent group at the moment as the rule engine has no awareness of agent groups. Here are some options with which you can achieve something similar:

• Use labels: It is possible to add labels to the agent's groups that will be applied to every alert triggered by those agents. To do that you can apply a centralized configuration to set up the label for each specific group.
  
  
  
  Once that is done you can verify the new alerts from those agents and confirm that the label is applied. You can also filter by the labels in Wazuh dashboard. And create custom rules to trigger matching labels.
  

• Use a specific field: If you have a specific field in the alert that is common to all the agents of a group, you can edit the rules only to be triggered when that field is the expected. For example: if all the agent hostnames of the group "lab" start with "lab-" and you want to filter the rule 5701, you can create a child rule similar to this:
  
    <rule id="100002" level="8">
      <if_sid>5701</if_sid>
      <hostname type="PCRE2">lab-.+</hostname>
      <description>sshd: Possible attack on the ssh server </description>
      <description>(or version gathering). - Known agetn</description>
    </rule>
  
  This way the rule will only be triggered when the agent hostname starts with "lab-".
  
  
  
  
  As you can see in the previous image, agents starting with "lab-" trigger the custom rule, while agents that don't start with "lab-" trigger the original rule.
  
  

You can find more information about labels and custom rules on the following links: 

• Rules syntax

• Agent labels

• Creating decoders and rules from scratch

I hope you find this information helpful. Let me know if you have any questions. 

Regards

[Serano Tomas]

Thanks for the reply,

unfortunately, I don't have the same hostnames, they are all different "aac","ffghs", and we don't even have the possibility to change them.

Can you help me create a simple alert based on a label?

none of these work, I must be wrong somewhere

<agent_config>
<!-- Shared agent configuration here -->
<labels>

<label key="test.grup">testing</label>
</labels>
</agent_config>

and in local_rules.xml


  <rule id="444461" level="11">
    <if_sid>807001</if_sid>
    <field name="agent.labels.test.grup">testing</field>
    <list field="audit.exe" lookup="not_match_key">etc/lists/list-testing</list>
    <description>rm command used</description>
</rule>

  <rule id="444462" level="11">
    <if_sid>553</if_sid>
    <field name="agent.labels.test.grup">testing</field>
    <description>file was deletet from grup testing</description>
</rule>

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0d0c6792-2af3-426e-a88f-d9c2a644304fn%40googlegroups.com.