Alert rule for field equals/not-equals another field

[Ranjith Kesavan]

Hello Team, 

We have a requirement where we need to check and alert if one field in the decoded log equals  another field in the same log. 

Example  log :  "user bob updated user alice".  

This is decoded as srcusr: "bob", dstusr: "alice" and action: "updated user". 

We need to create a rule to alert for all Update User operations except for if  srcusr and dstusr are the same. Note that both srcusr and dstusr fields are dynamic and can be any username. In this scenario users are allowed to update only their own user account. If the user was updated by anyone else, that should trigger an alert. 

Rule Logic : 

Parent Rule (Level 10) : 

if Action == "updated user"

Child Rule (Level=1): 

If_sid== Parent Rule ID

if srcuser==dstuser

Thank you.

Ranjith Kesavan

[Julián Morales]

Hi Ranjith!

We know that this feature would be useful in wazuh, so we have included it in our proof of concept of a new log analysis engine (currently under development, which, perhaps, in the future could replace analisysd).
On the other hand, you could do it!, but there is a little trick, you must use PCRE2, you can make a regex to compare 2 parts of the log, with groups. in your example a regex that would kill with this would be:

user (\w+) updated user \1

This compares that the user is the same, compare the first group compared with the brackets, is the same as \1.

I hope you find this helpful!

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f00df47b-4b47-4fc2-a691-80566d74d4cbn%40googlegroups.com.