Agent Disconnect - Help me

[Facu Basgall]

I want to create a rule based on 504, 506 and 503 to raise to level 12 when an agent goes offline at a certain time (e.g. from 18:00 to 21:00). But I want to base it on a list of agents or on a variable where I define the critical agents

Can you help me please?

[Olamilekan Abdullateef Ajani]

Hello,

I have configured something similar to this before, you need to create a variable with the agent name to capture the group of agents in question. Please see a sample custom rule used below for this use case.

<var name="sensitive-server">ubuntu-new|windows10-agent|ubuntu-ag</var>
<group name="agent-stat">
<rule id="121506" level="7">
    <if_sid>506</if_sid>
    <match>$sensitive-server</match>
    <time>2 pm - 8:30 pm</time>
    <description>sensitive server with Wazuh agent stopped.</description>
</rule>
</group>

You can find reference about the time option and other configurable rule options below:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#time

Please let me know if you require further assistance on this.

[Facu Basgall]

I've been testing the rule configuration but it doesn't work for me.

I have configured so that every time an agent is disconnected or the service is stopped, it raises it to level 12, but I want to add the list of excepted servers in certain time ranges because in those times they are scheduled to restart and it is a normal behavior

I attach my rule file, if you can help me please because it does not work.

[Olamilekan Abdullateef Ajani]

Hello,

Please review the attached file. I made use of your rules and it worked with little tweaks in the time. Please for proper management, also follow the syntax as defined in the documentation, you can also use the sample I created as baseline too.

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#time

Please let me know if you require further clarification on this.