Re: Correlation two logs different location

[Javier Adán Méndez Méndez]

Hi! The issue is that same_field doesn’t trigger because the field path or value isn’t identical between both events. Make sure both logs have the exact same field (e.g. user.name) with the same value and type. I recommend normalizing win.eventdata.targetUserName → user.name in both decoders, then using two correlation rules (one for each arrival order) with <same_field>user.name</same_field>. That should solve it reliably without false positives.

On Monday, November 3, 2025 at 2:50:06 PM UTC-6 ccc c wrote:

Hello everyone,

I have the following problem with correlating two logs from AD and FortiGate. When I log in through VPN using a domain account, two alerts are generated — 81614 and 60122. I’d like to correlate these logs, preferably using the field win.eventdata.targetUserName, which I also added to the FortiGate decoder. This field appears in the logs and has the same value as in AD, but the correlation still doesn’t work. I’ve tried everything.

<group name="custom,correlation">
  <rule id="100100" level="15" timeframe="10">
    <if_sid>81614</if_sid>
    <if_matched_sid>60122</if_matched_sid>
    <same_field>win.eventdata.targetUserName</same_field>
    <description>Correlation VPN (81614) i AD (60122) </description>
    <group>correlation,wazuh</group>
  </rule>
</group>

Only work this

<group name="custom,correlation,">

  <rule id="100100" level="15" frequency="2" timeframe="10">

    <if_sid>81614,60122</if_sid>

    <description>Correlation 81614 (VPN) i 60122 (AD) </description>

    <group>correlation,wazuh</group>

  </rule>

</group>

But this might sometimes generate a false event. Is there any other way to correlate it correctly?