Help required in creating rule

64 views
Skip to first unread message

ekta dhussa

unread,
Jan 29, 2025, 2:33:55 AMJan 29
to Wazuh | Mailing List
Hello Team,
Could you please help me creating a rule that will trigger if same suser value is seen for multiple times in a minute.

 Log sample:
 Jan 29 07:29:09 netskopece CEF:0|Netskope|Test|NULL|application|NULL|Unknown|IncidentID=8551549307615080711 NetskopeJustificationReason=null NetskopeJustificationType=null PolicyName=NULL Severity=Low appSessionId=2018293197464520481 appcategory=Online Ads applicationType=nspolicy browser=Chrome cci=70 ccl=medium device=Windows Device dst=143.143.910.581 ja3=da350be6b552dd9bb7ef37528fa29a7f ja3s=NotAvailable os=Windows 11 requestClientApplication=Microsoft MSN sourceServiceName=MSN src=469.307.255.86 suser=Te...@radisys.com timestamp=1738135847 url=ib.adnxs.com/ut/v3

Regards,
Ekta
Message has been deleted

hasitha.u...@wazuh.com

unread,
Jan 29, 2025, 4:00:22 AMJan 29
to Wazuh | Mailing List

Hi ekta, 

I believe I have shared the custom decoders for you in a previous request: https://groups.google.com/g/wazuh/c/mK4_VZSiWmg/m/pwyDCPBCCwAJ 

However, you need to modify the appcategory field in this way to capture the exact value called Online Ads. 

Therefore modify this decoder before applying the rule.

  1. <decoder name="Netskope-decoder-child">
  2.   <parent>Netskope-decoder</parent>
  3.   <regex>appcategory=(\.+)\s\S+=</regex>
  4.   <order>appcategory</order>
  5. </decoder>


Kindly note that modify the appcategory decoder regex like above. 

Then you can create custom rules to achieve your requirements.
Open the file with the text editor(vi /nano)
vi /var/ossec/etc/rules/local-Netskope_rules.xml

Add these rules to that custom rule file.

  1. <group name="Netskope">
  2.  
  3.   <rule id="101001" level="3">
  4.     <decoded_as>Netskope-decoder</decoded_as>
  5.     <description>Netskope messages grouped.</description>
  6.   </rule>
  7.  
  8.  
  9. <rule id="101002" level="3">
  10.     <if_sid>101001</if_sid>
  11.     <field name="appcategory">Online Ads</field>
  12.     <description>Netskope event detected: Online Ads application access logged.</description>
  13.   </rule>
  14.  
  15. <rule id="101003" level="10" frequency="5" timeframe="60">
  16.     <if_matched_sid>101002</if_matched_sid>
  17.     <same_field>suser</same_field>
  18.     <description>Multiple Netskope event detected: Online Ads application access logged.</description>
  19.   </rule>
  20.  
  21. </group>


To learn more about how to create custom rules you can follow these official guides. https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ 

Next, change the file permission of the custom rule file. 
chmod 660 /var/ossec/etc/rules/local-Netskope_rules.xml 
chown wazuh:wazuh /var/ossec/etc/rules/local-Netskope_rules.xml 

After given the appropriate permissions and rules you need to restart the Wazuh manager to apply changes. 
systemctl restart wazuh-manager


This rule 101003 will trigger whenever the rule id triggers 101002 5 times within 60 seconds. To create that I have used frequency and timeframe attributes to specify the fired times and the time duration. If you are using frequency and timeframe you need to modify the if_sid as if_matched_sid. To learn more about rule creation refer to the mentioned documents above.

Let me know if you need further assistance on this.

Regards,
Hasitha Upekshitha 
Screenshot 2025-01-29 140102.png

ekta dhussa

unread,
Jan 31, 2025, 12:32:19 AMJan 31
to Wazuh | Mailing List
Hello Hasitha,

Thanks for the help.

Can we add multiple fields in <same_field> tag?

Regards,
Ekta

hasitha.u...@wazuh.com

unread,
Feb 3, 2025, 2:24:56 AMFeb 3
to Wazuh | Mailing List
Hi ekta,

It seems possible, I have tested that it works.
For example, I have tried adding a sourceIP field also as same_field in the third rule.

  1. <rule id="101003" level="10" frequency="3" timeframe="60">
  1.     <if_matched_sid>101002</if_matched_sid>
  2.     <same_field>suser</same_field>
  1.      <same_field>sourceIP</same_field>
  1.     <description>Multiple Netskope event detected: Online Ads application access logged.</description>
  2.   </rule>
    https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field

    I suggest you follow our official guide to learn more about how to create rules.
         https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
    https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
    https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ 

    I believe your main issue was resolved. Let me know if you need further assistance on this.

    Regards,
    Hasitha Upekshitha
    Reply all
    Reply to author
    Forward
    0 new messages