Is Field‑to‑Field Comparison Possible in Custom Rules?

29 views
Skip to first unread message

Mithun Haridas

unread,
Apr 28, 2026, 2:24:31 AM (5 days ago) Apr 28
to Wazuh | Mailing List

Hi Team,

While working on custom rule creation recently, I encountered a challenge and would appreciate some guidance.

Is it possible to create a rule that compares two different fields within the same log event? Specifically, I would like to trigger a rule when the value of TargetDomainName is not equal to the value of SubjectDomainName within a single log entry (for example: TargetDomainName != SubjectDomainName).

Could someone please confirm whether this type of field‑to‑field comparison is supported, and if so, advise on how it can be implemented?

Thanks in advance for your help.

hasitha.u...@wazuh.com

unread,
Apr 28, 2026, 2:31:03 AM (5 days ago) Apr 28
to Wazuh | Mailing List
Hi Mithun,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

hasitha.u...@wazuh.com

unread,
Apr 28, 2026, 2:54:11 AM (5 days ago) Apr 28
to Wazuh | Mailing List

Hi Mithun,

At the moment, Wazuh rules do not natively support direct field-to-field comparison inside the same event, such as:

TargetDomainName != SubjectDomainName

The <field> option compares one decoded field against a static value or regular expression. Multiple <field> entries can be used together, but they work as logical AND conditions, not as a comparison between the values of two decoded fields. Wazuh also has same_field and different_field, but those are used for correlation across multiple events with frequency and timeframe, not for comparing two fields inside one log event.

Rule syntax

I’ll check further to see if there is any workaround we can use to achieve this. I’ll keep you posted if I find a suitable approach. Thanks!
Reply all
Reply to author
Forward
0 new messages