Custom rule not applying proper rule level
David Brindley
<group name="office365,logonerror,">
<rule id="100500" level="12">
<field name="data.office365.logonerror">BlockedByConditionalAccess</field>
<description>Office365 login blocked by Conditional Access</description>
<group>office365,authentication,blocked,</group>
</rule>
</group>
David Brindley
Bony V John
Hi,
From the shared custom rule, there are some issues in your custom rule, and that is why it is not working properly.
From the rule, you used a custom rule ID, and for custom rules there is no need to use the overwrite attribute. The overwrite attribute is used only when modifying default rules. If it is a custom rule, there is no need for the overwrite attribute. You can refer to the Wazuh default rules modification documentation for more details.
Also, the parent rule mapping is missing in your custom rule. In Wazuh, Office 365 events already have default rules, and you need to map the correct parent rule ID or rule group with your custom rule so it can be evaluated correctly and trigger alerts. For this, you need to use the <if_sid> tag or <if_group> tag with the correct parent rule details. You can refer to the Wazuh rule syntax documentation for more details.
Also, in the <field> tag you used data.office365.logonerror as the field name. The data. prefix is added by the Filebeat template while indexing the alert into the Indexer. It is metadata added after analysis, so for rule creation the data. prefix should not be used if it does not exist in the original event. You can check the existing Office 365 default rules for reference in this file: 0755-office365_rules.xml
You need to correct the above points in your custom rule to trigger alerts properly.
If you need further assistance with rule creation, please share a sample log of this event so we can check it from our end and assist you better. You can collect the sample log from the archives.json file.
Note: When enabling archives logging, it will start logging all events being ingested into the Wazuh Manager for analysis, which can increase storage usage quickly. After capturing the event, please disable the option to avoid running out of storage.
For capturing logs from archives.json, follow the steps below:
-
Enable logall_json on Wazuh Manager
Update ossec.conf on the Wazuh Manager to enable logall_json.
-
Reproduce the event
Trigger the event again to capture the relevant logs.
-
Extract the relevant logs
Run the following command on the Wazuh Manager:
Replace <related string> with a relevant value from the log to filter the specific entries.
-
Disable logall_json
After capturing the logs, disable logall_json in ossec.conf to prevent excessive storage usage.
Please share the sample log you extracted from archives.json with us.
Bony V John
Your updated rule syntax should look like the example below.
Sample rule syntax:
<rule id="100500" level="12">
<field name="office365.logonerror">BlockedByConditionalAccess</field>
<description>Office365 login blocked by Conditional Access</description>
<group>office365,authentication,blocked,</group>
</rule>
</group>
The rule shared above is only a reference example. You should update the rule ID and syntax based on your environment.
You can refer to the Wazuh rules syntax documentation for more details about creating custom rules.