Wazuh custom rule
21 views
Skip to first unread message
Paul
Sep 29, 2025, 9:51:44 AM (yesterday) Sep 29
to Wazuh | Mailing List
Hi,
Hope someone can advise. I have created a custom Wazuh rule that is based on the inbuilt Office 365 rule id 91545. I want the new custom rule to alert me by email when the office365.organizationId is specified
and
office365.Operation is UserLoggenIn
and
office365.ClientIP looks up a specific CDB list that i created.
The rule seems to work as expected however i no longer get 91545 logs in my Office 365 activity for the office365.organizationId specified. and i would like to limit the email alerts to 1 per login as i get approx 8 per user login
Here is the rule:
<rule id="100002" level="12">
<if_sid>91545</if_sid>
<field name="office365.organizationId">Microsoft 365 tenant ID</field>
<field name="office365.Operation">UserLoggedIn</field>
<list field="office365.ClientIP" lookup="not_address_match_key">etc/lists/ipcomms</list>
<description>Office 365: IP-Comms User login from non authorized device or country (Not in whitelist)</description>
</rule>
<if_sid>91545</if_sid>
<field name="office365.organizationId">Microsoft 365 tenant ID</field>
<field name="office365.Operation">UserLoggedIn</field>
<list field="office365.ClientIP" lookup="not_address_match_key">etc/lists/ipcomms</list>
<description>Office 365: IP-Comms User login from non authorized device or country (Not in whitelist)</description>
</rule>
Can someone advise what i need to add to limit the alerts to 1 per login and how i can retain the original 91545 logs
Many Thanks
Paul
Reply all
Reply to author
Forward
Message has been deleted
0 new messages