Modify rules by agent
25 views
Skip to first unread message
Facu Basgall
Sep 3, 2025, 10:50:40 AM (4 days ago) Sep 3
to Wazuh | Mailing List
I have a question about the rules. Can I indicate with a tag whether it comes from a particular agent or a group of agents?
Because I would like to raise a rule only if it is triggered in a predefined agent or in a predetermined group of for example "critical servers"
Thanks.
Olamilekan Abdullateef Ajani
Sep 3, 2025, 12:21:21 PM (4 days ago) Sep 3
to Wazuh | Mailing List
Hello,
<rule id="121506" level="3">
<if_sid>506</if_sid>
<match>$sensitive-server</match>
<description>sensitive server with Wazuh agent stopped.</description>
</rule>
One way to do this is if you have a specific field in the alert that is commong to all or some agents of a group, for example, the hostname field. You can ceate a rule to only trigger by that hostname field, example below:
<rule id="102212" level="10">
<if_sid>rule-reference</if_sid>
<hostname type="PCRE2">device-.+</hostname>
<description>a test reference rule from host $(hostname)</description>
</rule>
<if_sid>rule-reference</if_sid>
<hostname type="PCRE2">device-.+</hostname>
<description>a test reference rule from host $(hostname)</description>
</rule>
This way the rule will only be triggered when the agent hostname starts with "device-"
Another option is to create a variables for the group of agents:
<var name="sensitive-server">ubuntu-new|windows10-agent</var>
<var name="sensitive-server">ubuntu-new|windows10-agent</var>
<rule id="121506" level="3">
<if_sid>506</if_sid>
<match>$sensitive-server</match>
<description>sensitive server with Wazuh agent stopped.</description>
</rule>
Please let me know if you require additional information on this
Reply all
Reply to author
Forward
0 new messages