Wazuh rule of detection of an agent.ip

[Carlos los]

Hello,

Seeking for guidance for Wazuh Rules, I want to define agent.id/agent.ip field to match within a rule.

In detailed explanation: I want a rule to get trigger if any specific agent.id or agent.ip is detected.

For example: 

<rule id="120001" level="0">
    <decoded_as>XYZ</decoded_as>
    <description>XYZ Logs grouped</description>
  </rule>
 
  <rule id="120002" level="5">
    <if_sid>120001</if_sid>
    <field name="agent.ip">10.10.10.10</field>
    <description>Event detected from 10.10.10.10</description>
  </rule>

Doing like this does not help me out, so what can be the possible solution?

Any help would be appreciated,

Thanks,

Carlos.

[Juan Cabrera]

Hello Carlos,

For your use case, you need to use the location label. This way, the event would look like this:

  <rule id="120002" level="5">
    <if_sid>120001</if_sid>
    <location>10.10.10.10.10</location>
    <description>Event detected from 10.10.10.10.10</description>
  </rule>

Matching with the corresponding IP.

Best regards!

​

[Carlos los]

  Hello Juan,

I wanted to ask to that will this work? Because in my Wazuh Events it like this:

<rule id="120002" level="5">

<if_sid>120001</if_sid> <location>10.10.10.10.10</location> <!-- Location as I mentioned in my screenshot has a name of my service and I want a rule triggering on the basis of agent.ip --> <description>Event detected from 10.10.10.10.10</description> </rule>

I want to make a child rule which matches agent.ip in my triggered events. 

Any help would be appreciated,

Thanks,

Carlos.

[Juan Cabrera]

For your case, it is better to use the name of the agent that has that IP. You can see more information about the location field here:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?#location

Regards !