Agent.Name | Or Operator
197 views
Skip to first unread message
John Carry
Feb 15, 2023, 5:34:48 AM2/15/23
to Wazuh mailing list
Hello Wazuh Team,
Have created a rule that matches against multiple agent.names separated with OR Operator "|" inside of section FIELD but the issue is that the rule seems not working as it appears that it is not matching with the agent.name values.
Can agent.name and agent.id be used inside of <field> section?
Our use case should work in a way that whenever it finds any listed agent.name inside <field> section it will not fire the rule.
Parent Rule:
Actual Rule (Problematic):
Payload:
You are requested to help as it is an urgent query.
Regards,
john Carry
Damian Alfredo Mangold
Feb 15, 2023, 5:59:25 AM2/15/23
to Wazuh mailing list
Hi John, thanks for using wazuh.
To better understand the query. Is the rule not triggering or is it triggering but doesn't have the behavior you want?
If the problem is that the rule does not trigger, try changing the level of the child rule (ID: 112001) to a level greater than 4 and check again if the rule triggers.
If it still doesn't work, I'll need you to share the rules and the log associated with that rule so I can do some local testing and see where the error might be. At first glance, I don't see anything strange, except for the level = 0 of rule 112001.
Regards
To better understand the query. Is the rule not triggering or is it triggering but doesn't have the behavior you want?
If the problem is that the rule does not trigger, try changing the level of the child rule (ID: 112001) to a level greater than 4 and check again if the rule triggers.
If it still doesn't work, I'll need you to share the rules and the log associated with that rule so I can do some local testing and see where the error might be. At first glance, I don't see anything strange, except for the level = 0 of rule 112001.
Regards
John Carry
Feb 15, 2023, 6:12:22 AM2/15/23
to Wazuh mailing list
I think you have not answered all my queries, how-ever agent.name inside <field> section doesn't seems to be working because it worked when I replaced agent.name with parsed field "win.system.computer".
I think you should refer you development team to let know the community if we can use agent.name inside <field> section?
Refer image for your reference:
Damian Alfredo Mangold
Feb 15, 2023, 9:27:39 AM2/15/23
to Wazuh mailing list
I apologize for not having specifically answered your question in the previous message.
The `agent.name/id` field cannot be used in the `<field>` section of a rule because `agent.name/id` field is metadata, it does not come in the raw event that goes through the decoders/rules. The `agent.name/id` field is inserted into the JSON when the alert is triggered, so it does not exist for the rules.
Surely you already know it, but just in case I leave you the link to the documentation of the `<field>` section:
Used as a requisite to trigger the rule. It will check for a match in the content of a field extracted by the decoder.
The `agent.name/id` field cannot be used in the `<field>` section of a rule because `agent.name/id` field is metadata, it does not come in the raw event that goes through the decoders/rules. The `agent.name/id` field is inserted into the JSON when the alert is triggered, so it does not exist for the rules.
Surely you already know it, but just in case I leave you the link to the documentation of the `<field>` section:
Used as a requisite to trigger the rule. It will check for a match in the content of a field extracted by the decoder.
Reply all
Reply to author
Forward
0 new messages