How to trigger two rule under the same rule
991 views
Skip to first unread message
Julian Jorge
Oct 4, 2023, 10:45:16 AM10/4/23
to Wazuh | Mailing List
Hello!
We are trying to make a new rule that is compose from another 2 more, let me explain:
<rule id="1" level="15" frequency="20" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<description>A</description>
</rule>
<rule id="2" level="15" frequency="20" timeframe="60">
<if_matched_sid>554</if_matched_sid>
<description>B</description>
</rule>
<rule id="3" level="15">
<if_sid>1,2</if_sid>
<description>A and B</description>
</rule>
<if_matched_sid>553</if_matched_sid>
<description>A</description>
</rule>
<rule id="2" level="15" frequency="20" timeframe="60">
<if_matched_sid>554</if_matched_sid>
<description>B</description>
</rule>
<rule id="3" level="15">
<if_sid>1,2</if_sid>
<description>A and B</description>
</rule>
We are making the rule="3" and we need to trigger this one when the other ones fire (3 = 1 + 2)
In this moment, rule=3 is trigger when at least one of the other get fired but we need to get rule=3 when both of the get fired.
Could someone help us please?
Guillermo Andres Cabrera Davila
Oct 4, 2023, 1:03:07 PM10/4/23
to Wazuh | Mailing List
Hello Julian,
Thanks for contacting us!
I will be doing some testing based on your request,
and I will be getting back to you as soon as possible.
Kind regards,
Guillermo.
Message has been deleted
Guillermo Andres Cabrera Davila
Oct 6, 2023, 4:14:57 PM10/6/23
to Wazuh | Mailing List
Hello Julian,
Thanks for your patience,
After doing some testing I was able to find a way to trigger alerts when the other 2 rules trigger, here is the example rule I created for you:
<group name="testapp">
<rule id="100100" level="15" frequency="20" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<description>A</description>
</rule>
<rule id="100110" level="15" frequency="20" timeframe="60">
<if_matched_sid>554</if_matched_sid>
<description>B</description>
</rule>
<rule id="100111" level="10" timeframe="60">
<if_sid>100100</if_sid>
<if_matched_sid>100110</if_matched_sid>
<description>action A&B</description>
</rule>
</group>
Please keep in mind that the rule ID for custom rules should be numbers between 100000 and 120000, other Rule IDs are reserved for the default ruleset.
This rule was created based on the following:
We based the 3rd rule on the other two you shared. This rule will trigger if rule id 100100 triggers and then rule id 100110 is triggered after. Please note that if rule id 100111 is matched, you will not see an event for rule id 100110 as that rule is a parent rule to rule id 100111.
I have set a time frame for rule "100111" This will help to check that the 2 rules are triggered in a certain amount of time, If you would like to use more options for this criterion I will leave a link to our official documentation related to them and all the rules documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
It is important to mention that I used some sample logs, to trigger the alert, here I will leave some screenshots from the "Security Events" >> "Event" tab of the test performed to make sure that it was working as expected.
As you can see, It first triggers 1 alert, and when the second alert is triggered, I will trigger the third alert informing that actions A and B were activated.
After creating a new rule following those criteria you should be able to trigger an alert based on the trigger of two other alerts.
Please let me know if you have further questions regarding this topic.
Guillermo
Thanks for your patience,
After doing some testing I was able to find a way to trigger alerts when the other 2 rules trigger, here is the example rule I created for you:
<group name="testapp">
<rule id="100100" level="15" frequency="20" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<description>A</description>
</rule>
<if_matched_sid>554</if_matched_sid>
<description>B</description>
</rule>
<if_sid>100100</if_sid>
<if_matched_sid>100110</if_matched_sid>
<description>action A&B</description>
</rule>
</group>
Please keep in mind that the rule ID for custom rules should be numbers between 100000 and 120000, other Rule IDs are reserved for the default ruleset.
This rule was created based on the following:
We based the 3rd rule on the other two you shared. This rule will trigger if rule id 100100 triggers and then rule id 100110 is triggered after. Please note that if rule id 100111 is matched, you will not see an event for rule id 100110 as that rule is a parent rule to rule id 100111.
I have set a time frame for rule "100111" This will help to check that the 2 rules are triggered in a certain amount of time, If you would like to use more options for this criterion I will leave a link to our official documentation related to them and all the rules documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
It is important to mention that I used some sample logs, to trigger the alert, here I will leave some screenshots from the "Security Events" >> "Event" tab of the test performed to make sure that it was working as expected.
As you can see, It first triggers 1 alert, and when the second alert is triggered, I will trigger the third alert informing that actions A and B were activated.
After creating a new rule following those criteria you should be able to trigger an alert based on the trigger of two other alerts.
Please let me know if you have further questions regarding this topic.
Guillermo
Reply all
Reply to author
Forward
0 new messages