Custom Rules

[user]

Hi everyone, 

I am very novice with wazuh and its rules. So, I have some troubles and questions with my rules. 

Can I delete all default rules ?

I try to implement some easy rules to detect windows connection. how can i do that beacause these ones don't work : 

  <rule id="100105" level="3">
    <decoded_as>windows_eventchannel</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules. TEST</description>
  </rule>

  <rule id="100106" level="3">
    <decoded_as>windows_eventchannel</decoded_as>
    <field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
    <description>Windows Logon Success TEST</description>
    <options>no_full_log</options>
  </rule>

what's wrong ?

I try to write easy rules to better understand how it works and I was inspired by default rules 60106 and   60000.

If someone can help me, please ? 

Thank you for your time

[Md. Nazmur Sakib]

Hi User,


There are a few things to keep in mind when you are writing decoders and rules. If the logs for what you are trying to write rules already trigger alerts, you need to use that alert’s rule ID or rule group as a reference in your custom rule.

Ex:

<if_sid>100100, 100101</if_sid>

<if_group>windows</if_group>

Also, keep in mind that a log only triggers one alert, meaning that you can not trigger alerts for two rules based on a single log.

If you are new to writing rules and decoders, starting with Windows eventchannel log for writing decoders and rules can be a bit complicated as the ruletest tool doesn’t work the same way for Windows event channel as it does for other logs.

To know which default rule is triggering, you need to test the log first in wazuh-logtest or ruleTest.

By default, the logtest is not able to test the logs that come via the event channel. However, there is a workaround: Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml Modify the rule 60000 inside that file, removing the category and changing the

   <category>ossec</category>

    <decoded_as>windows_eventchannel</decoded_as>

decoded_as to json.

<rule id="60000" level="0">

    <decoded_as>json</decoded_as>

    <field name="win.system.providerName">\.+</field>

    <options>no_full_log</options>

    <description>Group of windows rules.</description>

  </rule>

Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest.



WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.


Check this document for writing custom rules:
Rules Syntax

Regular Expression Syntax

Rules

You can also check this document, which is a good example for writing a custom Windows rule.

https://zaferbalkan.com/wazuhevtx/


Let me know if you need any further information.

[Md. Nazmur Sakib]

Sorry, I missed one of your questions. You mentioned you can delete the default rules. Yes, it is possible to delete the default rules, but it is not recommended.

If you want to change the existing rule, I suggest you check the example in this document

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules

Let me know if you need any further assistance.