Custom rule not applying proper rule level
2 views
Skip to first unread message
David Brindley
5:37 PM (2 hours ago) 5:37 PM
to Wazuh | Mailing List
Hi All,
<group name="office365,logonerror,">
<rule id="100500" level="12">
<field name="data.office365.logonerror">BlockedByConditionalAccess</field>
<description>Office365 login blocked by Conditional Access</description>
<group>office365,authentication,blocked,</group>
</rule>
</group>
We created a custom rule to elevate 365 login failures that were blocked by conditional access to level 12 so it would send an email to our PSA. When checking logs, we see cases of this rule being generated, but the rule is listed at level 3. Rule details are below.
<group name="office365,logonerror,">
<rule id="100500" level="12">
<field name="data.office365.logonerror">BlockedByConditionalAccess</field>
<description>Office365 login blocked by Conditional Access</description>
<group>office365,authentication,blocked,</group>
</rule>
</group>
Thanks,
David Brindley
David Brindley
5:56 PM (2 hours ago) 5:56 PM
to Wazuh | Mailing List
Sorry for the confusion. After some further research, I realized I was missing the "overwrite" option so I will add that now and test.
Thanks,
David Brindley
Reply all
Reply to author
Forward
0 new messages