Palo Alto logs decoded but not alert
HA
<!-- Generic rule -->
<rule id="164500" level="1">
<decoded_as>paloalto</decoded_as>
<description>Palo Alto $(type) event.</description>
</rule>
HA
Julio Gasco
Hi Hedi,
Thanks for using our community
By default you will see on kibana only level 3 alerts and above. This is configured on your Wazuh Manager´s ossec.conf
If you would like to get all informational alerts (level 2 for example) you would need to edit value.
To achieve this edit file /var/ossec/etc/ossec.conf on your Manager and edit value inside the section, it will look like this:
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
With this configuration you would start receiving all alerts with level 2 or above, you can edit to add level 1 alerts also, just setting the value to 1.
If what you want is to only see the 64501 alerts (or a limited groups of level 1 or 2 alerts)
you can just overwrite the default rule 64501 with a custom rule which set the level to 3 and hence will be seen in kibana.
To achieve this you can add the following rule on file /var/ossec/etc/rules/local_rules.xml (inside the tag)
<rule id="64501" level="3" overwrite="yes">
<if_sid>64500</if_sid>
<field name="severity" type="pcre2">(?i)^(?:informational|low)$</field>
<description>Palo Alto $(type): $(severity) event.</description>
</rule>
Basically you will be doing an overwrite to the rule and changing the alert level, you can repeat this process with the rest of the rules you want to do this with.
Below are some reference documents on these topics:
https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html (Overwrite rules)
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html (Custom rules and decoders)
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html (log alert)
Regards!