Custom rules using fts option

129 views
Skip to first unread message

Mithun Haridas

unread,
May 7, 2025, 3:20:10 AM5/7/25
to Wazuh | Mailing List
Hi team, 

  If a new IP appears in a log—that is, the first time the IP has been detected in the environment. 

Can I set up a rule to be triggered for the above scenario?

While referring Wazuh documentation I noticed fts option in it, but I could not find much information. Can anyone guide me with this scenario by creating a sample rule.


Regards

Stuti Gupta

unread,
May 7, 2025, 6:22:14 AM5/7/25
to Wazuh | Mailing List

Hi Mithun Haridas,

Yes, you're correct, you can achieve your use case using the fts(First Time Seen) syntax. Here's an example to illustrate it:

Suppose your log looks like this:
web: [10.150.46.225] FAILED_LOGIN (admin)

You can create a decoder like the following:

<decoder name="barracuda-web">
        <prematch>web: </prematch>
</decoder>
<decoder name="barracuda-failed-login">
        <parent>barracuda-web</parent>
        <prematch>FAILED_LOGIN</prematch>
        <regex>web: [(\d+.\d+.\d+.\d+)] FAILED_LOGIN \p(\.+)\p</regex>
        <fts>srcip</fts>
        <ftscomment>First time ip detected command</ftscomment>
        <order>srcip,user</order>
</decoder>

Make sure the decoder includes both <fts> and <ftscomment> tags. The fts field must be a static field extracted by the decoder, in this case, srcip (  <fts>srcip</fts> ).
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#fts


Next, you can create a custom rule like this:

<group name="web">
<rule id="100003" level="3">
        <if_sid>1002</if_sid>
        <decoded_as>barracuda-web</decoded_as>
        <if_fts />
        <description>login failed from $(srcip)</description>
</rule>
</group>
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-fts

This rule will trigger only the first time a unique IP address appears in the logs, because of <if_fts />, which ensures the rule fires only on the first match when scrip is new

Screenshot_9.png

Let me know if you need any further assistance!

Mithun Haridas

unread,
May 22, 2025, 2:05:54 AM5/22/25
to Wazuh | Mailing List
Hi Stuti, 

I have tried the above steps you mentioned, 

    1. Added the fts option to the decoder,

         <decoder name="bitdefender-gz-fields">
           <parent>bitdefender-gz</parent>
           <regex>"source_ip":"(\d+.\d+.\d+.\d+)"</regex>
           <fts>srcip</fts>
           <ftscomment>First time seen IP</ftscomment>
           <order>srcip</order>
         </decoder>

     2. Created a custom rule,

          <rule id="111003" level="11">
            <if_sid>111002</if_sid>
            <if_fts />
            <description>Bitdefender: Traffic from new $(srcip).</description>
          </rule> 

My logs are currently being triggered in 111002, but even when I submit a fresh IP, they are not triggering in 111003.

To trigger this rule, is there anything further that needs to be set up?




Regards,

Mithun Haridas

unread,
May 25, 2025, 11:41:51 PM5/25/25
to Wazuh | Mailing List
Hi team,

Can someone help me with this issue?

Stuti Gupta

unread,
May 27, 2025, 5:44:26 AM5/27/25
to Wazuh | Mailing List
Can you please share the logs related to the decoder and rule that you have created? For that, you can use the following command as well:
cat /var/ossec/logs/archives/archives.json | grep <part of the log>

To enable the archives, you can refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

Mithun Haridas

unread,
May 28, 2025, 1:24:22 AM5/28/25
to Wazuh | Mailing List
Hi Stuti,

I apologize for not being able to collect the Bitdefender logs. Instead, I’ve decided to utilize the FTS (First Time Seen) option to work with FortiAnalyzer logs. Please find the requested details provided below.

Full Log:
May 22 10:36:44 hostname CEF:0|Fortinet|FortiGate-1F|7.4.6,build2726 (GA)|012001|system event login|4|start=May 22 2025 10:36:44 logver=7042726 deviceExternalId=000000 dvchost=hostname vd=root eventtime=17478958067656786490 tz=+0400 logid=012001 cat=event subtype=system deviceSeverity=information logdesc=Admin login successful sn=174902304 duser=admin sproc=https(0.0.0.0) method=https src=0.0.0.0 dst=0.0.0.0 act=login status=success reason=none profile=super_admin msg=Administrator admin logged in successfully from https(0.0.0.0) tz="+0000"

Decoder:
<decoder name="fortianalyzer">
    <program_name>CEF</program_name>
    <prematch>\|Fortinet\|FortiGate-\S+\|</prematch>
</decoder>

<decoder name="fortianalyzer-fields1">
    <parent>fortianalyzer</parent>
    <regex>src=(\d+.\d+.\d+.\d+)</regex>
    <fts>srcip</fts>
    <order>srcip</order>
</decoder>

Rule:
<group name="firewall,fortianalyzer,syslog,">
  <rule id="111700" level="4">
    <decoded_as>fortianalyzer</decoded_as>
    <description>Fortianalyzer: Messages grouped.</description>
  </rule>
 
  <rule id="111701" level="8">
    <if_sid>111700</if_sid>
    <if_fts />
    <description>Fortianalyzer: Admin login success from $(srcip).</description>
  </rule>
</group>


I hope the information provided is helpful in guiding me further. Please let me know if anything else is needed

Mithun Haridas

unread,
May 30, 2025, 8:45:05 AM5/30/25
to Wazuh | Mailing List
Hi,

Is there any updates on this?

Stuti Gupta

unread,
Jun 2, 2025, 8:07:59 AM6/2/25
to Wazuh | Mailing List
Hi 

I'm testing this, meanwhile, can you please add ftscomment in decoder, restart the wazuh-manage,r and check if this is working:

Like:
<decoder name="fortianalyzer-fields1">
    <parent>fortianalyzer</parent>
    <regex>src=(\d+.\d+.\d+.\d+)</regex>
    <fts>srcip</fts>
    <ftscomment>First time ip detected command</ftscomment>
    <order>srcip</order>
</decoder>

Stuti Gupta

unread,
Jun 3, 2025, 4:06:21 AM6/3/25
to Wazuh | Mailing List
HI  Mithun 

I have tested this, and it seems the FTS decoder is sometimes not working as it is supposed to. So I have opened a GitHub issue on this here  https://github.com/wazuh/wazuh/issues/30069
Additionally, we are going to update the rule engine in 5.0, which will have better rules creation options.

Mithun Haridas

unread,
Jun 3, 2025, 7:31:12 AM6/3/25
to Wazuh | Mailing List
Hi  Stuti

When is Wazuh 5.0 expected to be released?

Stuti Gupta

unread,
Jun 3, 2025, 7:37:05 AM6/3/25
to Wazuh | Mailing List
There is no official date that but hopefully soon
Reply all
Reply to author
Forward
0 new messages