Wazuh rule to trigger when two other rules have triggered recently

426 views
Skip to first unread message

Vetter517 Vetter517

unread,
Jan 15, 2025, 11:34:56 PM1/15/25
to wa...@googlegroups.com
Hello,

I am playing around with wazuh and am trying to make a rule that gets generated when two other rules occur. It seems the configurations I tried work but with an OR operator so two of the same rule may trigger and cause the new rule to trigger.

To be more specific. When the rule 92650 is triggered it is possible a remote user accessed the system to then create a local a service. 92650 does not have the user info as it is a system event. I need to hunt for the 67017 that happened a couple of seconds before the 92650 event which shows the remote user access. 

I have tried creating a rule using <if_sid> and <if_group> but am not getting the desired result. I need a rule where both 92650 and 67107 must have each triggered at least once within 5 seconds. Not when multiple of 67017 trigger without the 92650 or multiple 92650 without a 67017.

I looked at another conversation but the solution did not work when I tried it. Here is the url for reference:

I tried copying the post and then made many variations but could not get it to work. I will paste below what I have which generates the 100901 and 100902 when I test but not 100903. If I use <if_matched_sid> it stops logging the events completely.
<group name="local,custom">

  <rule id="100901" level="11">
    <if_sid>67017</if_sid>
    <description>67017 triggered</description>
  </rule>
  
  <rule id="100902" level="11">
    <if_sid>92650</if_sid>
    <description>92650 triggered</description>
  </rule>
  <!-- Correlate rule 92650 with details from 67017 -->
  
  <rule id="100903" level="11" timeframe="5">  
    <if_sid>100901</if_sid>
    <if_sid>100902</if_sid>
    <description>
      Correlate 92650 and 67017. 92650 is the service creation, 67017 shows network access if done remotely.
    </description>
  </rule>
</group>

Md. Nazmur Sakib

unread,
Jan 16, 2025, 12:18:14 AM1/16/25
to Wazuh | Mailing List

Hi  Vetter,

 


I believe your goal is to hunt for the 67017 that happened a couple of seconds before the 92650 event which shows the remote user access.

We can write a rule like this to check if 100901 or 100902 triggered 2 times within a time frame.



<group name="local,custom1">


  <rule id="100901" level="11">

    <if_sid>67017</if_sid>

    <description>67017 triggered</description>

  </rule>

  

  <rule id="100902" level="11">

    <if_sid>92650</if_sid>

    <description>92650 triggered</description>

  </rule>

  <!-- Correlate rule 92650 with details from 67017 -->


</group>


<group name="local,custom2">

  <rule id="100903" level="11" frequency="2" timeframe="360"> 
    <if_matched_group>custom1</if_matched_group>

    <description>

      Correlate 92650 and 67017. 92650 is the service creation, 67017 shows network access if done remotely.

    </description>

  </rule>

</group>


You can make changes to the frequency and timeframe based on your needs.

Check the document for reference:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-group



The exact correlation you are looking for is not possible at this moment. The good thing is this will change in our 5.0 version which will include a refactor of the analysis engine, so those correlations will be possible.

I hope you find this information useful.
Reply all
Reply to author
Forward
0 new messages