Creating Wazuh Alerts Based on Specific Times and Weekdays

[E A]

Hi,

I'm using Wazuh 4.8.2 and would like to create custom rules for monitoring login activities of specific users. However, I want these rules to trigger only during specific times and days.
For example:

• Weekdays (Monday to Friday) from 6:00 PM to 8:30 AM

• Weekends (Saturday and Sunday) all day

According to the Wazuh documentation, the <weekday> tag only accepts a single value (e.g., monday, weekends, weekdays) and doesn’t support multiple values or comma-separated entries.

Given this limitation, what would be the best approach to implement the logic above?

• Should I define separate rules for each day/time combination?

• Or is there a better or more efficient way to achieve this?

Thanks in advance for your help!

[Nicolas Alejandro Bertoldo]

Hi E A,

For this particular case, you should define two rules, one for weekdays and one for weekends, something like this:

<rule id="100001" level="9"

    <if_sid>zzzzz</if_sid>

    <time>6 pm - 8:30 am</time>

    <weekday>weekdays</weekday>

    <description>Test weekdays.</description>

</rule>

<rule id="100002" level="9">

    <if_sid>zzzzz</if_sid>

    <weekday>weekends</weekday>

    <description>Test weekends.</description>

</rule>

Related documentation: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-syntax

Regards.

[E A]

Hi Nicolas,

I had previously overwritten a rule with rule.id="92653" to change the level to 8 and add some additional filtering based on specific usernames and domain. Now, following your advice about separating weekday and weekend logic, I'm a bit confused.

Should I:

• Keep the existing 92653 rule as-is?

• And then create two new rules (with different rule IDs, like 10092653 and 10092654) that inherit from 92653 using <if_sid> and contain the time and weekday logic?

Or should I completely replace the original rule and split it into two (one for weekdays, one for weekends)?

What’s the proper and cleanest way to implement this? I will do the same with my other 3 rules.

  <rule id="92653" level="8" overwrite="yes">
    <if_sid>92651</if_sid>
    <field name="win.eventdata.logonType" type="pcre2">^10$</field>
    <field name="win.eventdata.targetUserName" type="pcre2">^(USER)$</field>
    <field name="win.eventdata.targetDomainName" type="pcre2">^DOMAIN$</field>
    <description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
    <mitre>
      <id>T1021.001</id>
      <id>T1078.002</id>
    </mitre>
  </rule>

Thanks.

26 Mayıs 2025 Pazartesi tarihinde saat 16:26:24 UTC+3 itibarıyla Nicolas Alejandro Bertoldo şunları yazdı:

[Nicolas Alejandro Bertoldo]

E A,

Yes, it is correct to keep the new rule 92653, especially if the filtering you have added is common to the other two “child” rules you must create.

Regards.

[E A]

Hi Nicolas,

I've implemented a time-based child rule structure as we discussed earlier, aiming to trigger alerts for RDP logins during off-hours and weekends. Here's the structure I used:

• Parent rule (ID: 92653)

• Child rule (ID: 10092653) — weekdays between 6 PM and 8:30 AM

• Child rule (ID: 10092654) — weekends all day

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

<group name="win_evt_channel,windows,">

  <rule id="92653" level="8" overwrite="yes">
    <if_sid>92651</if_sid>
    <field name="win.eventdata.logonType" type="pcre2">^10$</field>

    <field name="win.eventdata.targetUserName" type="pcre2">^(USERS)$</field>

    <field name="win.eventdata.targetDomainName" type="pcre2">^DOMAIN$</field>

    <description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged in using Remote Desktop Connection (RDP) from IP: $(win.eventdata.ipAddress).</description>

    <mitre>
      <id>T1021.001</id>
      <id>T1078.002</id>
    </mitre>
  </rule>

  <rule id="10092653" level="9">
    <if_sid>92653</if_sid>

    <time>6 pm - 8:30 am</time>
    <weekday>weekdays</weekday>

    <description>RDP login by privileged user during weekday off-hours.</description>
  </rule>

  <rule id="10092654" level="9">
    <if_sid>92653</if_sid>
    <weekday>weekends</weekday>
    <description>RDP login by privileged user during the weekend.</description>
  </rule>
</group>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Could you please review and let me know if this aligns with your best practices?

In particular, I'm wondering if combining both <time> and <weekday> in the same rule is considered optimal — or would you recommend splitting them differently?

Thanks a lot in advance!

Regards.

26 Mayıs 2025 Pazartesi tarihinde saat 21:18:26 UTC+3 itibarıyla Nicolas Alejandro Bertoldo şunları yazdı:

[Nicolas Alejandro Bertoldo]

Hi E A, 

Yes, combining <time> and <weekday> filters in the same rule is fine, as it quickly discards events that do not match both.

Regards

[EA]

Hi Nicolas,

Thanks a lot for your help! 🙏
The rule is now working as expected — it triggers alerts only outside working hours.
I've attached screenshots of the triggered alert and the rule I created.

I will test your behavior on the weekend on Saturday.

Also, if you have any feedback or see any improvements I could make, I’d be happy to hear your thoughts!

Regards.

27 Mayıs 2025 Salı tarihinde saat 17:18:58 UTC+3 itibarıyla Nicolas Alejandro Bertoldo şunları yazdı:

[Nicolas Alejandro Bertoldo]

E A,

Perfect! I think that, according to your needs, the rules you have defined are fine.

Regards