Help with custom Windows rule

[Facu Basgall]

Hi, I'm sending data from the Swift application to the event viewer of an agent, specifically to Application

I'm seeing the logs correctly in Wazuh but I want to build custom rules based on the severity and/or type of event that comes inside "data.win.eventdata.data" or "data.win.system.message"

I've tried several ways through "match" and "field" but I can't get the corresponding rules to fire. Can you help me?

I leave examples of these fields mentioned and the rules that I would need in the first instance.


Example event Swift:
data.win.eventdata.data or data.win.system.message

CEF:0|SWIFT|Alliance Access|7.8.50|BSA-3001|Signoff|Low|cn1=2147483910 cn1Label=Event Sequence ID cn2=0 cn2Label=Is Alarm cs1=5bc5b810-569b-4829-b1eb-5736587b3580 cs1Label=Instance UUID cs2=ed6f873a-4cc9-4b53-9664-ce56508ba8c7 cs2Label=Correlation ID cs4=HZAs4crkZkIj5iwVDwLMvRqKk+3e0aN3uuajYk8yOFMD cs4Label=Session ID cs5=Security cs5Label=Event Type cat=Operator msg=Operator PEPE : signed off from the terminal '192.168.11.88'. suid=PEPE dvchost=SRV38 dvc=192.168.11.88 dvcmac=00:50:56:8C:97:92 deviceProcessName=WS_appsrv src=192.168.11.88 dtz=America/Buenos_Aires rt=1769004538000 outcome=Success

Rules:

<group name="windows,windows_application,swift,syslog,">
  <rule id="101806" level="3">
    <if_sid>60600,60601,60602,61069,61070</if_sid>
    <field name="win.system.providerName">^SWIFT$</field>
    <options>no_full_log</options>
    <description>Group of rules for SWIFT.</description>
  </rule>
  <rule id="101807" level="3">
    <if_sid>101806</if_sid>
    <field name="win.system.message">.+\|Low\|.+</field>
    <description>SWIFT - Low level rule</description>
  </rule>
  <rule id="101808" level="7">
    <if_sid>101806</if_sid>
    <field name="win.system.message">.+\|Medium\|.+</field>
    <description>SWIFT - Medium level rule</description>
  </rule>
  <rule id="101809" level="10">
    <if_sid>101806</if_sid>
    <field name="win.system.message">.+\|High\|.+</field>
    <description>SWIFT - High level rule</description>
  </rule>
</group>

[Nicolas Stefani]

Hi,

Since your CEF payload is clearly visible in the raw message, <match> It is the most reliable approach.

Please try with:

<group name="windows,windows_application,swift,">
  <!-- Base SWIFT rule -->

  <rule id="101806" level="3">
    <if_sid>60600,60601,60602,61069,61070</if_sid>
    <field name="win.system.providerName">^SWIFT$</field>

    <match>^CEF:0\|SWIFT\|</match>

    <description>Group of rules for SWIFT.</description>
  </rule>

  <!-- Low severity -->

  <rule id="101807" level="3">
    <if_sid>101806</if_sid>

    <match>\|Low\|</match>

    <description>SWIFT - Low level rule</description>
  </rule>

  <!-- Medium severity -->

  <rule id="101808" level="7">
    <if_sid>101806</if_sid>

    <match>\|Medium\|</match>

    <description>SWIFT - Medium level rule</description>
  </rule>

  <!-- High severity -->

  <rule id="101809" level="10">
    <if_sid>101806</if_sid>

    <match>\|High\|</match>

    <description>SWIFT - High level rule</description>
  </rule>
</group>

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/15c17d57-a4dc-4f09-a2b7-1daf758436e6n%40googlegroups.com.

--

Nicolás Stefani Software Engineer

[Facu Basgall]

The rule 101806 works fine as I sent it and no match is necessary. The following rules do not work with either field or match as you propose, I have tried it.