Custom Rules for specific agent groups

[wazuh]

Is there a way to make a rule that would only apply to a agents that belong to certain groups. For example I want to make a rule that only applies to agents that belong to groups  - CompanyA, and Server. 

or just a simple if agent belongs to group - CompanyA then the rule will apply?

[Stuti Gupta]

Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.

[Stuti Gupta]

Hi 

Unfortunately, it is not possible to filter rules by agent or group of agents at the moment. Here are some options with which you can achieve something similar:

• Use labels: It is possible to add labels to the agent's groups that will be applied to every alert triggered by those agents. To do that you can apply a centralized configuration to set up the label for each specific group.
  
  
  
  Once that is done you can verify the new alerts from those agents and confirm that the label is applied. You can also filter by the labels in wazuh dashboard.
  
  
  
• Use a specific field: If you have a specific field in the alert that is common to all the agents of a group, you can edit the rules only to be triggered when that field is the expected. For example: if all the agent hostnames of the group "lab" start with "lab-" and you want to filter the rule 5701, you can create a child rule similar to this:
  
    <rule id="100002" level="8">
       <if_sid>5701</if_sid>
       <hostname type="PCRE2">lab-.+</hostname>
       <description>sshd: Possible attack on the ssh server </description>
       <description>(or version gathering). - Known agetn</description>
    </rule>
  
  This way the rule will only be triggered when the agent hostname starts with "lab-".
  
  
  
  
  As you can see in the previous image, agents starting with "lab-" trigger the custom rule, while agents that don't start with "lab-" trigger the original rule. 
  
  

You can find more information about labels and custom rules on the following links: 

• Rules syntax
  
• Agent labels
• Creating decoders and rules from scratch
  

I hope you find this information helpful. Let me know if you have any questions

[wazuh]

Can I use the labels in rules? if not is it possible to use the agent names?

[Stuti Gupta]

There is already an issue open regarding this. I believe this will take some time.
https://github.com/wazuh/wazuh/issues/3130

For now, as a workaround, you can use the agent name inside the <hostname>Agent_name</hostname> filed in rules to trigger an alert based on the agent name.
Ex:
<group name="test_group,">
  <rule id="107101" level="12">
    <if_sid>5501</if_sid>
    <hostname>ubuntu20</hostname>
    <description>Successful login from  $(hostname) server.</description>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
  </rule>
</group>
Using the help of the CDB list you can create a list of agents with agent_name and use this list in your rule to trigger alerts.
<group name="test_group,">
  <rule id="107101" level="12">
    <if_sid>5501</if_sid>
    <list field="hostname">etc/lists/linux-servers</list>
    <description>Successful login from  $(hostname) server.</description>
    <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
  </rule>
</group>

If you need help creating a CDB list please check this: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Check this document to learn more about creating and configuring custom rules:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Let me know if this works for you.