Negate in FIeld

[John Carry]

Dear Wazuh Team,

I am observing below error while usin gnegate in rule, you are requested suggest the proper use of negate inside <field> section.

Rule:

  <rule id="110207" level="14">
    <if_sid>110200</if_sid>
    <field negate="yes">user1||user2|user3</field>
    <description>Windows : Unknown User assigned with special privileges - $(win.eventdata.subjectUserName)</description>
  </rule>
</group>

Error:

Error: Could not check validation (1908) - Error validating configuration: Failure to read rule 110207. No such attribute 'name' for field., (1220): Error loading the rules: 'etc/rules/local_rules.xml'. at Function.returnErrorInstance (https://192.168.23.231/36136/bundles/plugin/wazuh/wazuh.plugin.js:1:106829) at Function._callee2$ (https://192.168.23.231/36136/bundles/plugin/wazuh/wazuh.plugin.js:1:105049) at tryCatch (https://192.168.23.231/36136/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:32004) at Generator.invoke [as _invoke] (https://192.168.23.231/36136/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:35968) at forEach.prototype.<computed> [as next] (https://192.168.23.231/36136/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:33129) at asyncGeneratorStep (https://192.168.23.231/36136/bundles/plugin/wazuh/wazuh.plugin.js:1:98841) at _next (https://192.168.23.231/36136/bundles/plugin/wazuh/wazuh.plugin.js:1:99152)

[Henadence Anyam]

Hello John,

You are using the negate option correctly. However, you are not specifying the name of the field you wish to negate.

Kindly add the name of the field extracted by the decoder. Check the usage of the field tag here: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#field

Example:

<field name="username" negate="yes">user1||user2|user3</field>

Hope you find this information helpful.

Best regards,

[John Carry]

thanks.