Hello Ayoub,
Thank you for using Wazuh.
I understand that you want to configure Wazuh to detect Anydesk application usage through fortigage v5 logs. Let me guide you to implement your custom rule for this.
Your custom rule seems structured. Would you let me know what is the another rule Id triggered during your ruletest?
I am going to troubleshoot the issue from my end. This would require a sample log from you that you tested. Please mask any sensitive information before sharing the requested log.
Looking forward to your reply.
Kind regards,
Thanks for your feedback.I have the version 4.3.9 of wazuh for me. The log is decoded as v5. I try to change the decoder name on V6 by modifying if_sid by id of decoder version 6 .i try again but the same the rule triggered is the below :
**Phase 3: Completed filtering (rules). id: '81634' level: '5' description: 'Fortigate: App blocked by firewall.' groups: '["fortigate","syslog","firewall_drop"]' firedtimes: '1' gdpr: '["IV_35.7.d"]' hipaa: '["164.312.b"]' mail: 'false' nist_800_53: '["AU.6"]' pci_dss: '["10.6.1"]' **Alert to be generated.
Thanks in advance for your help
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/joRtkqADGN0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a0e443e-ecd0-4e05-a049-7bc541bb478dn%40googlegroups.com.
**Phase 3: Completed filtering (rules).
id: '81634'
level: '5'
description: 'Fortigate: App blocked by firewall.'
groups: '["fortigate","syslog","firewall_drop"]'
firedtimes: '1'
gdpr: '["IV_35.7.d"]'
hipaa: '["164.312.b"]'
mail: 'false'
nist_800_53: '["AU.6"]'
pci_dss: '["10.6.1"]'
**Alert to be generated.
Thanks in advance for your help
Abdullah Al Noman |
Security Engineer |
The Open Source Security Platform |
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/deb2b3b2-88c8-4866-94e5-7eac94fe9460n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/91e04b7e-d3c4-433d-a809-e5e6f99661d5n%40googlegroups.com.
Hi Ayoub,
Based on your wazuh-logtest output, rule Id 81634 is triggering. Therefore, you need to use rule id this as sid in your custom rule so that your custom rule can work.
Your first custom rule contains 81634 as the sid. I am not sure why you changed it later even though I instructed you with the exact contents and steps to follow. However, I can assure you that if you replace the <if_sid>81641<if_sid> with <if_sid>81634<if_sid> in your custom rule, you will get the expected output.
Follow our official documentation on Custom rules and decoders to learn more.
Hope this resolves your query.
Have a nice rest of the day.
Kind regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7d7f7ad-b093-4482-ad91-aebb0cb6b75bn%40googlegroups.com.