Rule only works for limited number of events

[Roman]

Hello!

I have linux server with auditd configured, and I have alerts, that I want to lower, because they are related to scheduled backup task. Launch of backup task is in different event.

Main rule is 110070. It's quite simply relates to audit key susp_activity.

  <rule id="110070" level="12">
    <if_sid>80700</if_sid>
    <field name="audit.key">susp_activity</field>
    <description>Possible suspicious activity - $(audit.command) executed</description>
    <group>audit_command,</group>
  </rule>

Then I have a rule to detect launch of rsync task

  <rule id="120034" level="3">
    <if_sid>80792</if_sid>
    <field name="audit.execve.a1">^/home/backup/rsync-incremental-backup-remote.sh$</field>
    <description>Backup task. Not a threat.</description>
  </rule>

And then I try to lower all events in 20 minute (1200 seconds) window
  <rule id="120035" level="5" timeframe="1200">
    <if_sid>110070</if_sid>
    <if_matched_sid>120034</if_matched_sid>
    <field name="audit.euid_name">^backup$</field>
    <description>Backup task. Not a threat.</description>
  </rule>

But for some reason it works only with the first 7 events and then stops.

Is this expected behavior? Could you please help us with setting up the rule?

[Stuti Gupta]

Hi @roman

The rule you created with id 120035 is a correlation rule with a timeframe. This means Wazuh will try to link events from rule 110070 with the last event that matched rule 120034 within the 1200-second. However, Wazuh does not keep reusing the same 120034 event for the entire 20 minutes.
After a few matches, the stored correlation not work and new 110070 events no longer meet the correlation condition. That is why this works only for the first several alerts, and then it stops.

If you want all 110070 alerts generated during the backup period to be lowered for the full 20 minutes, you need a different approach. We can either rewrite the rule so it continues matching for the whole window or adjust the logic so it does not rely on if_matched_sid.

To know more about the custom rules, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

I can help you create a corrected rule if you share the exact matching pattern you want to apply to all backup-related events.

[Roman]

Hi, thank you for quick response

> If you want all 110070 alerts generated during the backup period to be lowered for the full 20 minutes

Yes, I would like to lower all events if possible.

>  We can either rewrite the rule so it continues matching for the whole window or adjust the logic so it does not rely on if_matched_sid.

Please explain both, I'm new to wazuh and this was the only pattern I could see. If you see other approach, I'm open to suggestions. 

>  share the exact matching pattern you want to apply to all backup-related events

Not quite clear what you mean. 

Current pattern (as I see it): 

- Detect event with argument "/home/backup/rsync-incremental-backup-remote.sh" (it's usually comes in 'audit.execve.a1' field) in event 'audit-wazuh-c' (event 80792);

- Since sh-script contains ssh/scp commands, lower all events related to that key (event 110070).

- It's scheduled task, so it happens from 22:00 and ends roughly at 22:15, so I chose 20 minute window.

I couldn't find any markers in 110070 event to lower it.