Custom Fortimail Rule not abiding by the 200 frequency option

[David Lima]

I've created a custom rule that detects a mass spam originating from fortimail data source.
But, it's not waiting to hit 200 frequency to send the alert via a custom py script that sends it to an itsm, the script utilizes the tag <group>UC</group> to trigger the script.

- Wazuh version -> 13.0

<group name="custom,">
    <rule id="110071" level="4" frequency="200" timeframe="120">
        <if_matched_sid>44719</if_matched_sid>
        <same_field>from</same_field>
        <field name="from">\.+</field>
        <field name="to">\.+</field>
        <description>custom - Fortimail | SPAM agreggation.</description>
    </rule>

    <rule id="120071" level="14">
        <if_sid>110071</if_sid>
        <description>custom - Fortimail | SPAM alert.</description>
        <group>UC,</group>
    </rule>
</group>

[Ifeanyi Onyia Odike]

Hi David,

In your instance, do you only get one alert triggered for the rule 120071?
Also, can you send me a log sample with redacted information so I can test it in my environment?

I will need to identify the behaviour of your custom rule before proferring a solution.

Regards,

[David Lima]

It triggers various 120071 alerts, but when i check the previous output on 110071 and fired times there's only about 10 or so, that's why my question about why it's not following the frequency set. 

You can use the following as example to hit the 200 threshold.

Jan 16 14:11:38 10.0.52.206 date=2026-01-16 time=14:11:38.929 device_id=FEV000000 log_id=0300028303 type=spam subtype=default pri=information  session_id="12345678910" client_name="mail78.email" client_ip="3.120.1.2" dst_ip="10.0.36.1" from="te...@gmail.com" to="desti...@gmail.com" subject="Re:  Test analysis" msg="File name: image060.png, scanned by Antivirus Scanner(clean), Attachment Filter(clean)"

[Ifeanyi Onyia Odike]

Hi David,

These are the results I got when I used the log you shared, fired times = 400 within a timeframe of 30 seconds:
In my instance, the rules follow the frequency set specified in 110071.

There are no alerts for 110071 because the rule 120071 fulfils that requirement in the rule chain, hence that is the alert you see.

Can you double-check your script to ensure it checks for <group>UC</group> (rule 120071) before execution?

[David Lima]

I've tried with 201 in the frequency and it worked. Mindblowing. Do you have any tips on how to extract each TO field from rule 110071 ? So that i can send it to my itsm with all users that have receveid the e-mail.

[David Lima]

Hey!

I've tried setting the frequency to 2 and 20, both worked. But, when i set to 200 it doesn't work. It's really weird.

When I set to 200 >

**Phase 3: Completed filtering (rules).
id: '44719'
level: '3'
description: 'FortiMail: SPAM-related events.'
groups: '["fortimail"]'
firedtimes: '200'
mail: 'false'
**Alert to be generated.

When I set to 2 for testing >
**Phase 3: Completed filtering (rules).
id: '120071'
level: '14'
description: 'redacted - Fortimail | SPAM detectado.'
groups: '["UC"]'
firedtimes: '2'
info: 'redacted'
mail: 'false'
**Alert to be generated.

[Ifeanyi Onyia Odike]

Hi David

Regarding your question:
"Do you have any tips on how to extract each TO field from rule 110071? So that i can send it to my itsm with all users that have receveid the e-mail."

You can try this rule:

  <rule id="110081" level="3">
    <if_sid>44719</if_sid>
    <field name="type">spam</field>
    <field name="to">desti...@gmail.com</field>    
    <description>$(to)</description>
  </rule>

The above rule extracts the destination field "to" and passes it to the description field (see screenshot below)