How to create rules by agent IP

[Facu Basgall]

Hi

I need to create a rule to filter a Windows event if it originates from a specific IP range (10.20.44.0/24)

For example, rule 60110.

Is this possible?

[Nicolas Alejandro Bertoldo]

Hi Facu,

Yes, it's possible. You can create a child rule that inherits from rule 60110 and additionally matches the agent IP using the <field name="agent.ip"> element with a regex for the subnet.

Add to /var/ossec/etc/rules/local_rules.xml:

<group name="windows,windows_security,">

  <!-- Filter rule 60110 only for agents in 10.20.44.0/24 -->
  <rule id="100001" level="8">
    <if_sid>60110</if_sid>
    <field name="agent.ip">^10\.20\.44\.</field>
    <description>User account changed - originated from 10.20.44.0/24</description>
    <options>no_full_log</options>
    <group>account_changed,</group>
    <mitre>
      <id>T1098</id>
    </mitre>
  </rule>

</group>

After saving, reload rules with sudo /var/ossec/bin/wazuh-control restart or sudo systemctl restart wazuh-manager.

Reference: Custom Rules

Regards

[Nicolas Alejandro Bertoldo]

Hi Facu,

I need to correct my previous answer. After a deeper investigation into the Wazuh source code, the approach I suggested does not work.

Why <field name="agent.ip"> doesn't work:

The agent.ip field is not available during rule evaluation. It is constructed only at alert output formatting time, after all rule matching has already completed. The function used by the rule engine only searches decoded event payload fields (win.system.*, win.eventdata.*, etc.), never agent metadata.

The agent IP is available during rule matching via location, which has the format:

(hostname) IP->EventChannel

So this rule would technically work:

<rule id="100001" level="8">
  <if_sid>60110</if_sid>

  <location type="pcre2">^\(.*\)\s10\.20\.44\.</location>

  <description>User account changed - originated from 10.20.44.0/24</description>
  <options>no_full_log</options>
  <group>account_changed,</group>
  <mitre>
    <id>T1098</id>
  </mitre>
</rule>

However, this only works if the agent was registered with a fixed IP address, using <agent_address> option. If the agent was enrolled with a dynamic IP address, the location string becomes (hostname) any->EventChannel and there is no IP to match on.

Practical recommendations:

1. Re-register the agent with a fixed IP: this is the cleanest solution. Once registered with a real IP, the rule above will work correctly.

2. Filter by agent group: assign all agents in the 10.20.44.0/24 subnet to a dedicated Wazuh agent group, then use group-based filtering at the dashboard level rather than at the rule level.

3. Filter at the dashboard/index level: since agent.ip is present in the indexed alert document, you can apply the IP range filter directly in the dashboards or via index-level filtering without needing a custom rule.

I apologize for the initial incorrect guidance.

Regards

[Facu Basgall]

Re-registering the agents is not a viable option in this environment.

So, is it not possible to filter by IP address or IP range in the rules? Could I do it by hostname?

Bearing in mind that the log is received as (hostname) any->EventChannel 

[Nicolas Alejandro Bertoldo]

Yes, you can filter by hostname using the <hostname> option. You can use a rule like this:

<group name="windows,windows_security,">

  <!-- Filter rule 60110 only for agent vm-win2022 -->

  <rule id="100001" level="8">
    <if_sid>60110</if_sid>

    <hostname>vm-win2022</hostname>
    <description>User account changed - originated from $(hostname)</description>

    <options>no_full_log</options>
    <group>account_changed,</group>
    <mitre>
      <id>T1098</id>
    </mitre>
  </rule>

</group>

The event from archives.log:

2026 Jun 01 19:01:30 (vm-win2022) 192.168.100.53->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4738
","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2026-06-01T19:01:27.8766077Z","eventRecordID":"979544","processID":"704","threadID":"808","channel":"Se
curity","computer":"vm-win2022","severityValue":"AUDIT_SUCCESS","message":"\"A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1673099515-2324581457-255951991-1000\r\n\tAccount Name
:\t\tvagrant\r\n\tAccount Domain:\t\tVM-WIN2022\r\n\tLogon ID:\t\t0xBA662\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1673099515-2324581457-255951991-1002\r\n\tAccount Name:\t\tTestUser01\r\n\tAcc
ount Domain:\t\tVM-WIN2022\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\tTestUser01\r\n\tDisplay Name:\t\t<value not set>\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t<value not set>\r\n\tHome
 Drive:\t\t<value not set>\r\n\tScript Path:\t\t<value not set>\r\n\tProfile Path:\t\t<value not set>\r\n\tUser Workstations:\t<value not set>\r\n\tPassword Last Set:\t5/29/2026 3:48:28 PM\r\n\tAccount Exp
ires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x214\r\n\tNew UAC Value:\t\t0x214\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t<value not set>\r\n\
tSID History:\t\t-\r\n\tLogon Hours:\t\tAll\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-\""},"eventdata":{"targetUserName":"TestUser01","targetDomainName":"VM-WIN2022","targetSid":"S-1-5-21-1673099
515-2324581457-255951991-1002","subjectUserSid":"S-1-5-21-1673099515-2324581457-255951991-1000","subjectUserName":"vagrant","subjectDomainName":"VM-WIN2022","subjectLogonId":"0xba662","samAccountName":"Tes
tUser01","displayName":"%%1793","homeDirectory":"%%1793","homePath":"%%1793","scriptPath":"%%1793","profilePath":"%%1793","userWorkstations":"%%1793","passwordLastSet":"5/29/2026 3:48:28 PM","accountExpire
s":"%%1794","primaryGroupId":"513","oldUacValue":"0x214","newUacValue":"0x214","userParameters":"%%1793","logonHours":"%%1797"}}}

And the alert from wazuh dashboard:

{
  "_index": "wazuh-alerts-4.x-2026.06.01",
  "_id": "iu-QhJ4BgHN5bpaDJ0yf",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "10.0.2.15",
      "name": "vm-win2022",
      "id": "008"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "win": {
        "eventdata": {
          "subjectLogonId": "0xba662",
          "scriptPath": "%%1793",
          "passwordLastSet": "5/29/2026 3:48:28 PM",
          "homeDirectory": "%%1793",
          "userParameters": "%%1793",
          "subjectDomainName": "VM-WIN2022",
          "displayName": "%%1793",
          "accountExpires": "%%1794",
          "homePath": "%%1793",
          "samAccountName": "TestUser01",
          "targetUserName": "TestUser01",
          "subjectUserSid": "S-1-5-21-1673099515-2324581457-255951991-1000",
          "primaryGroupId": "513",
          "logonHours": "%%1797",
          "targetDomainName": "VM-WIN2022",
          "profilePath": "%%1793",
          "userWorkstations": "%%1793",
          "oldUacValue": "0x214",
          "newUacValue": "0x214",
          "targetSid": "S-1-5-21-1673099515-2324581457-255951991-1002",
          "subjectUserName": "vagrant"
        },
        "system": {
          "eventID": "4738",
          "keywords": "0x8020000000000000",
          "providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "level": "0",
          "channel": "Security",
          "opcode": "0",
          "message": "\"A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1673099515-2324581457-255951991-1000\r\n\tAccount Name:\t\tvagrant\r\n\tAccount Domain:\t\tVM-WIN2022\r\n\tLogon ID:\t\t0xBA662\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1673099515-2324581457-255951991-1002\r\n\tAccount Name:\t\tTestUser01\r\n\tAccount Domain:\t\tVM-WIN2022\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\tTestUser01\r\n\tDisplay Name:\t\t<value not set>\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t<value not set>\r\n\tHome Drive:\t\t<value not set>\r\n\tScript Path:\t\t<value not set>\r\n\tProfile Path:\t\t<value not set>\r\n\tUser Workstations:\t<value not set>\r\n\tPassword Last Set:\t5/29/2026 3:48:28 PM\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x214\r\n\tNew UAC Value:\t\t0x214\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t<value not set>\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\tAll\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-\"",
          "version": "0",
          "systemTime": "2026-06-01T19:01:27.8766077Z",
          "eventRecordID": "979544",
          "threadID": "808",
          "computer": "vm-win2022",
          "task": "13824",
          "processID": "704",
          "severityValue": "AUDIT_SUCCESS",
          "providerName": "Microsoft-Windows-Security-Auditing"
        }
      }
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 8,
      "description": "User account changed - originated from vm-win2022",
      "groups": [
        "windows",
        "windows_security",
        "account_changed"
      ],
      "mitre": {
        "technique": [
          "Account Manipulation"
        ],
        "id": [
          "T1098"
        ],
        "tactic": [
          "Persistence"
        ]
      },
      "id": "100001"
    },
    "location": "EventChannel",
    "decoder": {
      "name": "windows_eventchannel"
    },
    "id": "1780340490.2994365",
    "timestamp": "2026-06-01T19:01:30.858+0000"
  },
  "fields": {
    "timestamp": [
      "2026-06-01T19:01:30.858Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@008@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1780340490858
  ]