Good afternoon,
I applied the exception that I recommended but it still detects it as level 10. Below I detail how I have configured the exception, how I am receiving the alert and the rule that is triggering it.
Configured exception rule
<rule id="100002" level="3" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<location>10-NAME_NAME</location>
<same_source_ip/>
<description>Silence 31533 for 10-NAME_NAME - High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
Rule that triggers the alert
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
Alert received in JSON format
{
"agent": {
"ip": "XX.XX.XX.XX",
"name": "10-NAME_NAME",
"id": "016"
},
"previous_output": "XX.XX.XX.XX - - [16/Nov/2023:14:58:24 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"
https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problemsbysv.view HTTP/1.1\" 200 328045 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.tophosts.view HTTP/1.1\" 200 10997 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problems.view HTTP/1.1\" 200 73565 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"
https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 4356 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"",
"manager": {
"name": "2048-pelim-08"
},
"data": {
"protocol": "POST",
"srcip": "XX.XX.XX.XX",
"id": "200",
"url": "/zabbix/jsrpc.php?output=json-rpc"
},
"rule": {
"firedtimes": 5,
"mail": true,
"level": 10,
"pci_dss": [
"6.5",
"11.4"
],
"tsc": [
"CC6.6",
"CC7.1",
"CC8.1",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "High amount of POST requests in a small period of time (likely bot).",
"groups": [
"web",
"appsec",
"attack"
],
"mitre": {
"technique": [
"Network Denial of Service"
],
"id": [
"T1498"
],
"tactic": [
"Impact"
]
},
"id": "31533",
"nist_800_53": [
"SA.11",
"SI.4"
],
"frequency": 8,
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "web-accesslog"
},
"full_log": "XX.XX.XX.XX - - [16/Nov/2023:14:58:25 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"
https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
119.0.0.0 Safari/537.36\"",
"input": {
"type": "log"
},
"@timestamp": "2023-11-16T19:58:25.729Z",
"location": "/var/log/apache2/access.log",
"id": "1700164705.144396198",
"timestamp": "2023-11-16T14:58:25.729-0500",
"_id": "eue22YsB66a147urouU5"
}