Adding custom rule to a rules group
233 views
Skip to first unread message
Obay Abadi
Jan 5, 2024, 11:21:38 AM1/5/24
to Wazuh | Mailing List
Hello Wazuh guys,
I've created a custom rule for my IAM solution and it's working fines alerts are shown up, but i want to add those alert to the dashboard count "Authentication failure" and "Authentication success" that shows up on the main wazuh dashboard.
So i added the <group> tag with the the custom rule but when i do that the alert doesn't shows up, and there is no logs coming to the archive.log
The rule that works before adding the rule.group:
<group name="MY IAM">
<rule id="100025" level="3">
<decoded_as>json</decoded_as>
<field name="event">login</field>
<description>Successfull Login AttemptLogin by user : $(user)</description>
<options>no_full_log</options>
</rule>
<rule id="100026" level="7">
<if_sid>100025</if_sid>
<field name="error">invalid</field>
<description>Failed Login Attempt by the user: $(user)</description>
<options>no_full_log</options>
<rule id="100025" level="3">
<decoded_as>json</decoded_as>
<field name="event">login</field>
<description>Successfull Login AttemptLogin by user : $(user)</description>
<options>no_full_log</options>
</rule>
<rule id="100026" level="7">
<if_sid>100025</if_sid>
<field name="error">invalid</field>
<description>Failed Login Attempt by the user: $(user)</description>
<options>no_full_log</options>
</rule>
</group>
the rule that doesn't work after adding the rule.group:
the rule that doesn't work after adding the rule.group:
<group name="MY IAM">
<rule id="100025" level="3">
<decoded_as>json</decoded_as>
<field name="event">login</field>
<description>Successfull Login AttemptLogin by user : $(user)</description>
<options>no_full_log</options>
<group>authentication_success</group>
</rule>
<rule id="100026" level="7">
<if_sid>100025</if_sid>
<field name="error">invalid</field>
<description>Failed Login Attempt by the user: $(user)</description>
<options>no_full_log</options>
<rule id="100025" level="3">
<decoded_as>json</decoded_as>
<field name="event">login</field>
<description>Successfull Login AttemptLogin by user : $(user)</description>
<options>no_full_log</options>
<group>authentication_success</group>
</rule>
<rule id="100026" level="7">
<if_sid>100025</if_sid>
<field name="error">invalid</field>
<description>Failed Login Attempt by the user: $(user)</description>
<options>no_full_log</options>
<group>authentication_failed</group>
</rule>
</rule>
</group>
Eric Franco Fahnle
Jan 5, 2024, 1:40:41 PM1/5/24
to Wazuh | Mailing List
Hey Obay, hope you're doing good.
I was checking the docs (here: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#group) and see that it always closes the string with a comma, even if it is a single element. So that'd be
<group>authentication_success,</group>
And
<group>authentication_failed,</group>
That's the only thing I see different for your config. Please try that and let me know. If it doesn't work I'd try to reproduce it in my lab
Regards,
Eric
Obay Abadi
Jan 8, 2024, 1:55:40 AM1/8/24
to Wazuh | Mailing List
Hey Eric,
Thank you for getting back, i have tried closes the the <group> tag with a comma but it also doesn't work,
Can you please assist.
Obay
Thank you for getting back, i have tried closes the the <group> tag with a comma but it also doesn't work,
Can you please assist.
Obay
Obay Abadi
Jan 8, 2024, 7:48:19 AM1/8/24
to Wazuh | Mailing List
Hey Eric,
I solved the issue by adding comma to the first of the tag also,
Thanks
Obay
I solved the issue by adding comma to the first of the tag also,
<group>,authentication_failed,</group>
Thanks
Obay
Eric Franco Fahnle
Jan 8, 2024, 12:55:40 PM1/8/24
to Wazuh | Mailing List
Hey Obay, hope you're doing great!
Oh my, I missed that comma. Sorry for that, glad you found it yourself. If you need anything else don't hesitate to ask.
Regards!
Eric
Reply all
Reply to author
Forward
0 new messages