How to compare two fields in a custom rule

298 views
Skip to first unread message

José Raeiro

unread,
Jun 17, 2024, 7:20:56 AM6/17/24
to Wazuh | Mailing List
Hello Wazuh #community!I'm having trouble configuring a rule to ignore alerts when the MailboxOwnerUPN and userId fields are equal in Wazuh. Here’s what I’m working with:
<rule id="91578" level="5"> <if_sid>91532</if_sid> <field name="office365.RecordType" type="osregex">^50$</field> <description>Office 365: Events related to the MailItemsAccessed mailbox auditing action.</description> <options>no_full_log</options> <group>ExchangeItemAggregated,hipaa_164.312.b,pci_dss_10.6.2</group> </rule>
Attempted SolutionCreated a rule to detect when MailboxOwnerUPN and userId are equal:
<rule id="222182" level="0"> <if_sid>91578</if_sid> <field name="office365.MailboxOwnerUPN">.+</field> <field name="office365.userId">.+</field> <description>Ignore alert when MailboxOwnerUPN and userId are the same</description> <regex type="pcre2">^.*"office365\.MailboxOwnerUPN":"(\w+)".*"office365\.userId":"\1".*$</regex> </rule>
Despite these configurations, alerts are still being generated even when MailboxOwnerUPN and userId are the same. Could anyone provide insights or suggestions on how to properly configure these rules to achieve the desired behavior? Any help would be greatly appreciated!Thank you!

Gastón Palomeque

unread,
Jun 18, 2024, 1:33:37 PM6/18/24
to Wazuh | Mailing List
Hello José,

The rules syntax does not allow the comparison of different fields at the moment.

However, there is a workaround, check out the following ruleset:

Decoders

<decoder name="testing_decoder_parent">
     <program_name>example</program_name>
</decoder>

<decoder name="testing_decoder">
    <parent>testing_decoder_parent</parent>
    <regex>Field1: (\S+) </regex>
    <order>field1</order>
</decoder>

<decoder name="testing_decoder">
    <parent>testing_decoder_parent</parent>
    <regex>Field2: (\S+)</regex>
    <order>field2</order>
</decoder>

<decoder name="testing_decoder">
    <parent>testing_decoder_parent</parent>
    <regex>(Field1: \S+ Field2: \S+)</regex>
    <order>comparision_field</order>
</decoder>

Rules

<rule id="100002" level="10">
    <decoded_as>testing_decoder_parent</decoded_as>
    <description>Testing alert</description>
    <field name="comparision_field" type="pcre2">Field1: \S+ Field2: \S+$</field>
    <group>group1</group>
</rule>

<rule id="100003" level="0">
    <if_sid>100002</if_sid>
    <description>Testing alert</description>
    <field name="comparision_field" type="pcre2">Field1: (\S+) Field2: (\1)$</field>
    <group>group1</group>
</rule>

In this example, we are going to follow the sibling decoders approach. In order to compare different fields we define an intermediate decoded value, comparision_field. In this example, it will get Field1 and Field2.

Regarding our rules, we have used a PCRE2 regex to compare the Field1 and Field2 values. In case they are different, rule 10002 will trigger. Otherwise, it will trigger rule 10003 (with level 0, avoiding it appearing in the dashboard).

Logtest Output

root# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.8.0
Type one log per line

Jun 18 17:45:02 MyHost example[12345]: Field1: Value1 Field2: Value1

**Phase 1: Completed pre-decoding.
     full event: ' Jun 18 17:45:02 MyHost example[12345]: Field1: Value1 Field2: Value1'
     timestamp: ' Jun 18 17:45:02'
     hostname: 'MyHost'
    program_name: 'example'

**Phase 2: Completed decoding.
    name: 'testing_decoder_parent'
    comparision_field: 'Field1: Value1 Field2: Value1'
    field1: 'Value1'
    field2: 'Value1'

**Phase 3: Completed filtering (rules).
    id: '100003'
    level: '0'
    description: 'Testing alert'
    groups: '['local', 'syslog', 'sshd', 'group1']'
    firedtimes: '1'
    mail: 'False'


Jun 18 17 :45:02 MyHost example[12345]: Field1: Value1 Field2: Value2

**Phase 1: Completed pre-decoding.
    full event: ' Jun 18 17:45:02 MyHost example[12345]: Field1: Value1 Field2: Value2 '
    timestamp: ' Jun 18 17:45:02'
    hostname: 'MyHost'
    program_name: 'example'

**Phase 2: Completed decoding.
    name: 'testing_decoder_parent'
    comparision_field: 'Field1: Value1 Field2: Value2'
    field1: 'Value1'
    field2: 'Value2'

**Phase 3: Completed filtering (rules).
   id: '100002'
   level: '10'
   description: 'Testing alert' groups: '['local', 'syslog', 'sshd', 'group1']'
   firedtimes: '1'
   mail: 'False'
**Alert to be generated.

The implementation of the ruleset could differ in your use case. If you have any doubts, share your use case and we will help you with that

Regards,

Gastón Palomeque
Reply all
Reply to author
Forward
0 new messages