--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/AoUMaxEWSp4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15cd8dc0-65b7-4b85-aea1-420ee0e1126cn%40googlegroups.com.
Hello German.
I'm handling your case because Mario is currently on leave.
Reading the thread, I think I understand what he wants to achieve. The problem I infer is that first, you are trying to have the rule filter by an event value and the second rule (correlative rule) when the first rule is repeated more than x times to capture the username.
But, I think you will never get the desired result, because you are already filtering events and generating alerts with win.eventdata.passwordLastSet: '%%1794'. Consequently, if the correlative rule triggers an alert, it will be with this passwordLastSet value, which is not the desired one.
I guess, you should look for another filtering route for the first rule that allows you to filter this event and generate the alert and then it repeats x times, there you filter by the event win.eventdata.passwordLastSet: YYYY-mm-dd.If you have multiple examples of this eventId, we could check a field that can be configured so that the first alert is generated.
In conclusion, the first filter in rule one blocks your attempt at rule two (correlated), as it corresponds to the same event id but with different values of the same key.