Custom Fortimail Rule not abiding by the 200 frequency option
21 views
Skip to first unread message
David Lima
Jan 16, 2026, 10:25:56 AM (2 days ago) Jan 16
to Wazuh | Mailing List
I've created a custom rule that detects a mass spam originating from fortimail data source.
But, it's not waiting to hit 200 frequency to send the alert via a custom py script that sends it to an itsm, the script utilizes the tag <group>UC</group> to trigger the script.
But, it's not waiting to hit 200 frequency to send the alert via a custom py script that sends it to an itsm, the script utilizes the tag <group>UC</group> to trigger the script.
- Wazuh version -> 13.0
<group name="custom,">
<rule id="110071" level="4" frequency="200" timeframe="120">
<if_matched_sid>44719</if_matched_sid>
<same_field>from</same_field>
<field name="from">\.+</field>
<field name="to">\.+</field>
<description>custom - Fortimail | SPAM agreggation.</description>
</rule>
<rule id="120071" level="14">
<if_sid>110071</if_sid>
<description>custom - Fortimail | SPAM alert.</description>
<group>UC,</group>
</rule>
</group>
<rule id="110071" level="4" frequency="200" timeframe="120">
<if_matched_sid>44719</if_matched_sid>
<same_field>from</same_field>
<field name="from">\.+</field>
<field name="to">\.+</field>
<description>custom - Fortimail | SPAM agreggation.</description>
</rule>
<rule id="120071" level="14">
<if_sid>110071</if_sid>
<description>custom - Fortimail | SPAM alert.</description>
<group>UC,</group>
</rule>
</group>
Ifeanyi Onyia Odike
Jan 16, 2026, 11:44:39 AM (2 days ago) Jan 16
to Wazuh | Mailing List
Hi David,
In your instance, do you only get one alert triggered for the rule 120071?
Also, can you send me a log sample with redacted information so I can test it in my environment?
I will need to identify the behaviour of your custom rule before proferring a solution.
Also, can you send me a log sample with redacted information so I can test it in my environment?
I will need to identify the behaviour of your custom rule before proferring a solution.
Regards,
David Lima
Jan 16, 2026, 12:29:06 PM (2 days ago) Jan 16
to Wazuh | Mailing List
It triggers various 120071 alerts, but when i check the previous output on 110071 and fired times there's only about 10 or so, that's why my question about why it's not following the frequency set.
You can use the following as example to hit the 200 threshold.
Jan 16 14:11:38 10.0.52.206 date=2026-01-16 time=14:11:38.929 device_id=FEV000000 log_id=0300028303 type=spam subtype=default pri=information session_id="12345678910" client_name="mail78.email" client_ip="3.120.1.2" dst_ip="10.0.36.1" from="te...@gmail.com" to="desti...@gmail.com" subject="Re: Test analysis" msg="File name: image060.png, scanned by Antivirus Scanner(clean), Attachment Filter(clean)"
You can use the following as example to hit the 200 threshold.
Jan 16 14:11:38 10.0.52.206 date=2026-01-16 time=14:11:38.929 device_id=FEV000000 log_id=0300028303 type=spam subtype=default pri=information session_id="12345678910" client_name="mail78.email" client_ip="3.120.1.2" dst_ip="10.0.36.1" from="te...@gmail.com" to="desti...@gmail.com" subject="Re: Test analysis" msg="File name: image060.png, scanned by Antivirus Scanner(clean), Attachment Filter(clean)"
Reply all
Reply to author
Forward
0 new messages