Correlation rules
10 views
Skip to first unread message
German DiCasas
1:13 PM (4 hours ago) 1:13 PM
to Wazuh | Mailing List
Hi team,
I have wazuh 4.14 and I want trigger an alert after some rules. The problem here is that I want to take the information from each one and display it in a single rule. It is posible? I want to gather information from the other two or more rules (all the variables of event 1,2,..to use over other event)
I mean for example, at the moment to connect a usb storage arrive to wazuh 3 logs with same event id and rule.id. Each one with importan information. I want trigger one alert with the information of the 3 events, can be?
I mean for example, at the moment to connect a usb storage arrive to wazuh 3 logs with same event id and rule.id. Each one with importan information. I want trigger one alert with the information of the 3 events, can be?
Over attached file you can see the 3 events and I want for example have one rule to trigger an alert with the information of:USB-Volume-WPD-Kali Live. One rule with the information of the 3 events. This type of correlation it is posible over wazuh 4-14?
Regards
Jose Luis Carreras Marin
2:05 PM (3 hours ago) 2:05 PM
to Wazuh | Mailing List
Hi,
In Wazuh 4.14, this is partially possible.
You can create a correlation rule that fires after several matching events using `if_matched_sid` with `frequency` and `timeframe`, and optionally `same_field` if the events share a stable common field.
However, Wazuh does not natively merge the decoded fields from multiple previous events into one new alert as separate variables. The correlated alert keeps the fields from the event that finally triggers the rule. The previous matching events are available only as raw text in `previous_output`.
So for your Windows Event ID 6416 / rule 60227 case:
- Yes, you can raise a new alert after the 3 related events arrive.
- No, you cannot build one Wazuh alert containing the structured fields of event 1 + event 2 + event 3 as independent fields.
- If the 3 events share a stable field such as a device identifier, use that with `same_field`.
Here is docu related:
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Example:
<rule id="100200" level="10" frequency="3" timeframe="5">
<if_matched_sid>60227</if_matched_sid>
<description>USB device detected after 3 correlated 6416 events. Current class=$(win.eventdata.className), current description=$(win.eventdata.deviceDescription)</description>
</rule>
If you need a single enriched alert containing data from all 3 events as structured fields, that requires external aggregation or custom scripting before/after Wazuh processing.
Regards
In Wazuh 4.14, this is partially possible.
You can create a correlation rule that fires after several matching events using `if_matched_sid` with `frequency` and `timeframe`, and optionally `same_field` if the events share a stable common field.
However, Wazuh does not natively merge the decoded fields from multiple previous events into one new alert as separate variables. The correlated alert keeps the fields from the event that finally triggers the rule. The previous matching events are available only as raw text in `previous_output`.
So for your Windows Event ID 6416 / rule 60227 case:
- Yes, you can raise a new alert after the 3 related events arrive.
- No, you cannot build one Wazuh alert containing the structured fields of event 1 + event 2 + event 3 as independent fields.
- If the 3 events share a stable field such as a device identifier, use that with `same_field`.
Here is docu related:
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Example:
<rule id="100200" level="10" frequency="3" timeframe="5">
<if_matched_sid>60227</if_matched_sid>
<description>USB device detected after 3 correlated 6416 events. Current class=$(win.eventdata.className), current description=$(win.eventdata.deviceDescription)</description>
</rule>
If you need a single enriched alert containing data from all 3 events as structured fields, that requires external aggregation or custom scripting before/after Wazuh processing.
Regards
German DiCasas
4:10 PM (1 hour ago) 4:10 PM
to Wazuh | Mailing List
so , not possible. What external aggregation do you recommend?
Reply all
Reply to author
Forward
0 new messages