Custom rules
10 views
Skip to first unread message
WiFi
Dec 1, 2025, 8:50:33 AM (yesterday) Dec 1
to Wazuh | Mailing List
I have a correlation rule that monitors password changes in accounts. If there are more than 5 password changes in 28800 seconds, I receive an alert. How can I add an additional argument so that this rule applies to only one user?
For example, IvanovII has changed their password more than 5 times in 28800 seconds.
However, this rule should apply to all users. Now my rule is not working correctly, it does not compare the data.win.eventdata.targetUserName field
And for it to work, the value of the data.win.eventdata.targetUserName field must be the same 5 times during this period
<rule id="100189" level="2">
<if_group>windows</if_group>
<field name="win.system.eventID">^4723$</field>
<description>Password Changed</description>
<options>no_full_log</options>
</rule>
<rule id="100190" level="15" frequency="5" timeframe="28800">
<if_matched_sid>100189</if_matched_sid>
<description>Password Changed more 5 time</description>
</rule>
For example, IvanovII has changed their password more than 5 times in 28800 seconds.
However, this rule should apply to all users. Now my rule is not working correctly, it does not compare the data.win.eventdata.targetUserName field
And for it to work, the value of the data.win.eventdata.targetUserName field must be the same 5 times during this period
<rule id="100189" level="2">
<if_group>windows</if_group>
<field name="win.system.eventID">^4723$</field>
<description>Password Changed</description>
<options>no_full_log</options>
</rule>
<rule id="100190" level="15" frequency="5" timeframe="28800">
<if_matched_sid>100189</if_matched_sid>
<description>Password Changed more 5 time</description>
</rule>
Olamilekan Abdullateef Ajani
Dec 1, 2025, 10:17:17 AM (yesterday) Dec 1
to Wazuh | Mailing List
Hello devs,
<if_group>windows</if_group>
<field name="win.system.eventID">^4723$</field>
I believe you need to expand the scope of your current rule setup to correlate events for username fields specifically, rather than only globally or for a single user. I made an adjustment to the rule to shared to match the same field attribute so when a specific user attempts the password change within that period, the rule is triggered.
<rule id="100189" level="3">
<if_group>windows</if_group>
<field name="win.system.eventID">^4723$</field>
<description>Password changed for account $(win.eventdata.targetUserName)</description>
<options>no_full_log</options>
</rule>
<rule id="100190" level="12" frequency="5" timeframe="28800">
<if_matched_sid>100189</if_matched_sid>
<same_field>win.eventdata.targetUserName</same_field>
<description>Excessive password changes detected for user $(win.eventdata.targetUserName) in 8 hours</description>
</rule>
<options>no_full_log</options>
</rule>
<rule id="100190" level="12" frequency="5" timeframe="28800">
<if_matched_sid>100189</if_matched_sid>
<same_field>win.eventdata.targetUserName</same_field>
<description>Excessive password changes detected for user $(win.eventdata.targetUserName) in 8 hours</description>
</rule>
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field
Please let me know if you require further clarification or assistance on this.
Regards,
Reply all
Reply to author
Forward
0 new messages