Rule Not Triggering Despite Meeting Frequency/Timeframe Threshold
22 views
Skip to first unread message
Claudio Cobbit
Mar 17, 2026, 9:10:27 AM (2 days ago) Mar 17
to Wazuh | Mailing List
Hello Wazuh team and community,
I am having some issues on correlating some rules of login attempts.
Here is my current rule set:
<rule id="708004" level="1">
<decoded_as>custom_portal_login</decoded_as>
<description>Portal Log Found</description>
</rule>
<rule id="708005" level="5">
<if_sid>2501,708004</if_sid>
<field name="state">failure</field>
<description>Failed Login</description>
<group>authentication_failed</group>
</rule>
<rule id="708006" level="5">
<if_sid>708004</if_sid>
<field name="state">Successful</field>
<description>Successful Login</description>
<group>authentication_success</group>
</rule>
<rule id="708007" level="7" frequency="8" timeframe="900">
<if_sid>708006</if_sid>
<if_matched_sid>708005</if_matched_sid>
<same_srcuser />
<description>Multiple Login Failures followed by a success</description>
</rule>
I am experiencing an issue where, even after reaching 8 or more failed login attempts triggering rule 708005 followed by a successful login triggering rule 708006, rule 708007 does not fire, only 708006 triggers. But when I lower the frequency of rule 708007 to 4 or below, it works as expected. Increasing the timeframe has no effect on this behavior as well.
I already tried to test it on Ruleset test and both cases worked, but in a real simulation scenario it presents the behavior previously presented.
Does anyone have an idea of why this is happening ?
Best Regards,
Claudio Cobbit
I am having some issues on correlating some rules of login attempts.
Here is my current rule set:
<rule id="708004" level="1">
<decoded_as>custom_portal_login</decoded_as>
<description>Portal Log Found</description>
</rule>
<rule id="708005" level="5">
<if_sid>2501,708004</if_sid>
<field name="state">failure</field>
<description>Failed Login</description>
<group>authentication_failed</group>
</rule>
<rule id="708006" level="5">
<if_sid>708004</if_sid>
<field name="state">Successful</field>
<description>Successful Login</description>
<group>authentication_success</group>
</rule>
<rule id="708007" level="7" frequency="8" timeframe="900">
<if_sid>708006</if_sid>
<if_matched_sid>708005</if_matched_sid>
<same_srcuser />
<description>Multiple Login Failures followed by a success</description>
</rule>
I am experiencing an issue where, even after reaching 8 or more failed login attempts triggering rule 708005 followed by a successful login triggering rule 708006, rule 708007 does not fire, only 708006 triggers. But when I lower the frequency of rule 708007 to 4 or below, it works as expected. Increasing the timeframe has no effect on this behavior as well.
I already tried to test it on Ruleset test and both cases worked, but in a real simulation scenario it presents the behavior previously presented.
Does anyone have an idea of why this is happening ?
Best Regards,
Claudio Cobbit
Olamilekan Abdullateef Ajani
Mar 17, 2026, 10:49:40 AM (2 days ago) Mar 17
to Wazuh | Mailing List
Hello Claudio,
Please confirm when you tried on ruletest it work? Because trying to simulate the situation here, authentication failure when it reaches 8 frequency triggers another rule, which may affect the operation of your own custom rule because it is tied to 8 too. This may explain why it works when you reduce the frequency, as I did mine, and it worked too.
I would also advise you to change the logic and move the frequency to the failed rule:
<group name="custom-test8,">
<rule id="162250" level="5" frequency="8" timeframe="50">
<if_matched_sid>5760</if_matched_sid>
<description>Failed Login</description>
</rule>
<rule id="162251" level="12">
<if_sid>5715</if_sid>
<if_matched_sid>162250</if_matched_sid>
<description>Successful connection after failed attempts</description>
</rule>
</group>
This also seems like a cleaner approach.
Please review what I said above, and if you experience further challenges, please share a sample log for both authentication success and failure for further evaluation.
I would also advise you to change the logic and move the frequency to the failed rule:
<group name="custom-test8,">
<rule id="162250" level="5" frequency="8" timeframe="50">
<if_matched_sid>5760</if_matched_sid>
<description>Failed Login</description>
</rule>
<rule id="162251" level="12">
<if_sid>5715</if_sid>
<if_matched_sid>162250</if_matched_sid>
<description>Successful connection after failed attempts</description>
</rule>
</group>
This also seems like a cleaner approach.
Please review what I said above, and if you experience further challenges, please share a sample log for both authentication success and failure for further evaluation.
Regards,
Claudio Cobbit
8:55 AM (10 hours ago) 8:55 AM
to Wazuh | Mailing List
Hello Olamilekan,
Thanks you for your help. Answering your previous question about the ruletest, yes on ruletest it worked fine.
Following your suggestion, I tried a cleaner approach by splitting the rule and reducing the frequency to 6 for testing purposes, but the problem still persists, rule 708007 is never triggered, even after reaching 6 attempts within the 10-minute timeframe:
<rule id="708004" level="6">
<decoded_as>custom_portal_login</decoded_as>
<description>Portal Log Found</description>
</rule>
<rule id="708005" level="7">
<if_sid>708004</if_sid>
<field name="state">failure</field>
<description>Portal: Failed Login</description>
</rule>
<rule id="708006" level="7">
<if_sid>708004</if_sid>
<field name="state">Successful</field>
<description>Portal: Successful Login</description>
</rule>
<rule id="708007" level="8" frequency="6" timeframe="600">
<if_matched_sid>708005</if_matched_sid>
<same_srcuser />
<description>Portal: Multiple Login Failures</description>
</rule>
<rule id="708008" level="9">
<if_matched_sid>708007</if_matched_sid>
<if_sid>708006</if_sid>
<same_srcuser />
<description>Portal: Multiple Login Failures followed by a success</description>
</rule>
Attached are the raw logs, the ruletest output, and the exported logs from Wazuh Discover.
Thanks you for your help. Answering your previous question about the ruletest, yes on ruletest it worked fine.
Following your suggestion, I tried a cleaner approach by splitting the rule and reducing the frequency to 6 for testing purposes, but the problem still persists, rule 708007 is never triggered, even after reaching 6 attempts within the 10-minute timeframe:
<rule id="708004" level="6">
<decoded_as>custom_portal_login</decoded_as>
<description>Portal Log Found</description>
</rule>
<if_sid>708004</if_sid>
<field name="state">failure</field>
<description>Portal: Failed Login</description>
</rule>
<rule id="708006" level="7">
<if_sid>708004</if_sid>
<field name="state">Successful</field>
</rule>
<rule id="708007" level="8" frequency="6" timeframe="600">
<if_matched_sid>708005</if_matched_sid>
<same_srcuser />
</rule>
<rule id="708008" level="9">
<if_matched_sid>708007</if_matched_sid>
<if_sid>708006</if_sid>
<same_srcuser />
<description>Portal: Multiple Login Failures followed by a success</description>
</rule>
When testing with ruletest using the same logs received in Wazuh, everything works as expected. However, in a real scenario where I fail the login 7 times, the rule never fires. Instead, rule 708005 triggers 7 times, when it should trigger 708007 on the 6th attempt.
I tried with 5 or less in the 708007 frequency and it worked fine btw.
I have already confirmed that no other events are being triggered for these logs.Attached are the raw logs, the ruletest output, and the exported logs from Wazuh Discover.
Reply all
Reply to author
Forward
0 new messages