Hello Wazuh Team,I have created a custom rule for my Firewall because I need to trigger level 12 alert if my condition is met, let me mention both the rules below.
How-ever the problem I am facing is when a rule is Tested, it says that it had find duplicate rule and priority will given to first rule (Default one), I am pasting the error below, you are requested to assist on making changes as I want to trigger custom rule when ever my condition mentioned there is met:

**Messages: WARNING: (7003): 'da8101f3' token expires WARNING: (7612): Rule ID '222032' is duplicated. Only the first occurrence will be considered. INFO: (7202): Session initialized with token '32b7d590'
**Phase 1: Completed pre-decoding. full event: 'date=2023-02-15 time=21:11:24 devname="Arpatech_HO" devid="FG6H1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.18.78 srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="
https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26
catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"'
**Phase 2: Completed decoding. name: 'fortigate-firewall-v5' action: 'blocked' catdesc: 'Malicious Websites' craction: '4194304' crlevel: 'high' crscore: '30' devid: 'FG6H1ETB21907474' devname: 'Arpatech_HO' direction: 'outgoing' dstintf: 'port5' dstintfrole: 'wan' dstip: '104.21.35.30' dstport: '443' eventtime: '1676477485124165451' eventtype: 'ftgd_blk' hostname: 'cdn.shopproxy.live' level: 'warning' logid: '0316013056' msg: 'URL belongs to a denied category in policy' policyid: '12' profile: 'Custom_Policy' proto: '6' rcvdbyte: '0' reqtype: 'direct' sentbyte: '426' service: 'HTTPS' sessionid: '167293945' srcintf: 'port2' srcintfrole: 'lan' srcip: '192.168.18.78' srcport: '56529' subtype: 'webfilter' time: '21:11:24' type: 'utm' url: 'https://cdn.shopproxy.live/' vd: 'root'
**Phase 3: Completed filtering (rules). id: '81644' level: '6' description: 'Fortigate: Blocked URL belongs to a denied category in policy.' groups: '["fortigate","syslog"]' firedtimes: '1' mail: 'false'
**Alert to be generated.

By-Default Rule:
<rule id="81644" level="6">
<if_sid>81603</if_sid>
<match>type="utm" subtype="webfilter"|type=utm subtype=webfilter</match>
<action>blocked</action>
<description>Fortigate: Blocked URL belongs to a denied category in policy. </description>
</rule>
Custom Rule:
<rule id="222032" level="12">
<if_sid>81644</if_sid>
<field name="catdesc">Malicious Websites|"Malicious Websites"</field>
<description>User accessing Malicious Website</description>
</rule>
The Actual Payload:
date=2023-02-15 time=21:11:24 devname="xxx" devid="xxxH1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.x.x srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="
https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"