Custom rules using fts option

[Mithun Haridas]

Hi team, 

  If a new IP appears in a log—that is, the first time the IP has been detected in the environment. 

Can I set up a rule to be triggered for the above scenario?

While referring Wazuh documentation I noticed fts option in it, but I could not find much information. Can anyone guide me with this scenario by creating a sample rule.

Regards

[Stuti Gupta]

Hi Mithun Haridas,

Yes, you're correct, you can achieve your use case using the fts(First Time Seen) syntax. Here's an example to illustrate it:

Suppose your log looks like this:
web: [10.150.46.225] FAILED_LOGIN (admin)

You can create a decoder like the following:

<decoder name="barracuda-web">
        <prematch>web: </prematch>
</decoder>
<decoder name="barracuda-failed-login">
        <parent>barracuda-web</parent>
        <prematch>FAILED_LOGIN</prematch>
        <regex>web: [(\d+.\d+.\d+.\d+)] FAILED_LOGIN \p(\.+)\p</regex>
        <fts>srcip</fts>
        <ftscomment>First time ip detected command</ftscomment>
        <order>srcip,user</order>
</decoder>

Make sure the decoder includes both <fts> and <ftscomment> tags. The fts field must be a static field extracted by the decoder, in this case, srcip (  <fts>srcip</fts> ).
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#fts

Next, you can create a custom rule like this:

<group name="web">
<rule id="100003" level="3">
        <if_sid>1002</if_sid>
        <decoded_as>barracuda-web</decoded_as>
        <if_fts />
        <description>login failed from $(srcip)</description>
</rule>
</group>
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-fts

This rule will trigger only the first time a unique IP address appears in the logs, because of <if_fts />, which ensures the rule fires only on the first match when scrip is new



Let me know if you need any further assistance!

[Mithun Haridas]

Hi Stuti, 

I have tried the above steps you mentioned, 

    1. Added the fts option to the decoder,

         <decoder name="bitdefender-gz-fields">

           <parent>bitdefender-gz</parent>
           <regex>"source_ip":"(\d+.\d+.\d+.\d+)"</regex>
           <fts>srcip</fts>
           <ftscomment>First time seen IP</ftscomment>
           <order>srcip</order>
         </decoder>

     2. Created a custom rule,

          <rule id="111003" level="11">

            <if_sid>111002</if_sid>
            <if_fts />
            <description>Bitdefender: Traffic from new $(srcip).</description>
          </rule> 

My logs are currently being triggered in 111002, but even when I submit a fresh IP, they are not triggering in 111003.

To trigger this rule, is there anything further that needs to be set up?

Regards,

[Mithun Haridas]

Hi team,

Can someone help me with this issue?

[Stuti Gupta]

Can you please share the logs related to the decoder and rule that you have created? For that, you can use the following command as well:
cat /var/ossec/logs/archives/archives.json | grep <part of the log>

To enable the archives, you can refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

[Mithun Haridas]

Hi Stuti,

I apologize for not being able to collect the Bitdefender logs. Instead, I’ve decided to utilize the FTS (First Time Seen) option to work with FortiAnalyzer logs. Please find the requested details provided below.

Full Log:

May 22 10:36:44 hostname CEF:0|Fortinet|FortiGate-1F|7.4.6,build2726 (GA)|012001|system event login|4|start=May 22 2025 10:36:44 logver=7042726 deviceExternalId=000000 dvchost=hostname vd=root eventtime=17478958067656786490 tz=+0400 logid=012001 cat=event subtype=system deviceSeverity=information logdesc=Admin login successful sn=174902304 duser=admin sproc=https(0.0.0.0) method=https src=0.0.0.0 dst=0.0.0.0 act=login status=success reason=none profile=super_admin msg=Administrator admin logged in successfully from https(0.0.0.0) tz="+0000"

Decoder:

<decoder name="fortianalyzer">
    <program_name>CEF</program_name>
    <prematch>\|Fortinet\|FortiGate-\S+\|</prematch>
</decoder>

<decoder name="fortianalyzer-fields1">
    <parent>fortianalyzer</parent>
    <regex>src=(\d+.\d+.\d+.\d+)</regex>
    <fts>srcip</fts>
    <order>srcip</order>
</decoder>

Rule:

<group name="firewall,fortianalyzer,syslog,">
  <rule id="111700" level="4">
    <decoded_as>fortianalyzer</decoded_as>
    <description>Fortianalyzer: Messages grouped.</description>
  </rule>
 
  <rule id="111701" level="8">
    <if_sid>111700</if_sid>
    <if_fts />
    <description>Fortianalyzer: Admin login success from $(srcip).</description>
  </rule>

</group>


I hope the information provided is helpful in guiding me further. Please let me know if anything else is needed

[Mithun Haridas]

Hi,

Is there any updates on this?

[Stuti Gupta]

Hi 

I'm testing this, meanwhile, can you please add ftscomment in decoder, restart the wazuh-manage,r and check if this is working:

Like:

<decoder name="fortianalyzer-fields1">
    <parent>fortianalyzer</parent>
    <regex>src=(\d+.\d+.\d+.\d+)</regex>
    <fts>srcip</fts>

    <ftscomment>First time ip detected command</ftscomment>

    <order>srcip</order>
</decoder>

[Stuti Gupta]

HI  Mithun 

I have tested this, and it seems the FTS decoder is sometimes not working as it is supposed to. So I have opened a GitHub issue on this here  https://github.com/wazuh/wazuh/issues/30069
Additionally, we are going to update the rule engine in 5.0, which will have better rules creation options.

[Mithun Haridas]

Hi  Stuti

When is Wazuh 5.0 expected to be released?

[Stuti Gupta]

There is no official date that but hopefully soon