cdb list doble
23 views
Skip to first unread message
German DiCasas
May 21, 2026, 11:36:42 AM (2 days ago) May 21
to Wazuh | Mailing List
Hi team,
It is posible in wazuh 14.1 a rule with two CDB Lists? Can be possible that the rule check only one?
<rule id="100010" level="15">
<if_sid>60106,92657</if_sid>
<list field="win.eventdata.targetUserName" lookup="address_match_key">etc/lists/admins</list>
<list field="win.eventdata.targetUserName" lookup="not_match_key">etc/lists/admins-list-no</list>
<description>User "$(win.eventdata.targetUserName)" logged</description>
<mitre>
<id>T1564.001</id>
</mitre>
</rule>
<list field="win.eventdata.targetUserName" lookup="address_match_key">etc/lists/admins</list>
<list field="win.eventdata.targetUserName" lookup="not_match_key">etc/lists/admins-list-no</list>
<description>User "$(win.eventdata.targetUserName)" logged</description>
<mitre>
<id>T1564.001</id>
</mitre>
</rule>
Regards
German
Eli Josue Rodriguez
May 21, 2026, 1:02:01 PM (2 days ago) May 21
to Wazuh | Mailing List
Hello German,
This behavior is related to current limitations in the Wazuh rules engine when combining multiple CDB list evaluations in the same rule.
Your example tries to evaluate:
a positive match against etc/lists/admins
and a negative match against etc/lists/admins-list-no
Although multiple <list> tags are accepted syntactically, the engine does not fully support advanced combinations/conditional logic between CDB lists in a single rule evaluation.
There are some related discussions/issues about this limitation. You can find some of them here https://github.com/wazuh/wazuh/issues/18311#issuecomment-1677295539
At the moment, the recommended workaround is to split the logic into multiple rules (one per desired combination or condition).
Reply all
Reply to author
Forward
0 new messages