Custom rules FIM

41 views
Skip to first unread message

DIWAHAR RAHAWID

unread,
May 19, 2026, 10:57:59 AM (4 days ago) May 19
to Wazuh | Mailing List

Hi Team,

I tried creating FIM rules specifically for .bak files, but while saving the rules I am encountering an XML error (113).

<group name="awsfim,">

  <rule id="110804" level="16">
    <if_sid>554</if_sid>
    <list field="agent.name" lookup="match_key">etc/lists/serverlist</list>
    <field name="syscheck.path" type="pcre2">(?i)\.(bak)$</field>
    <description>[File Created] Suspicious or monitored file type created: $(syscheck.path)</description>
    <email_to>a...@email.com</email_to>
    <mitre>
      <id>T1105</id>
      <id>T1566</id>
    </mitre>
  </rule>

  <rule id="110805" level="16">
    <if_sid>550</if_sid>
    <list field="agent.name" lookup="match_key">etc/lists/serverlist</list>
    <field name="syscheck.path" type="pcre2">(?i)\.(bak)$</field>
    <description>[File Modified] Suspicious or monitored file type modified: $(syscheck.path)</description>
    <email_to> a...@email.com </email_to>
    <mitre>
      <id>T1565.001</id>
    </mitre>
  </rule>

  <rule id="110808" level="16">
    <if_sid>553</if_sid>
    <list field="agent.name" lookup="match_key">etc/lists/serverlist</list>
    <field name="syscheck.path" type="pcre2">(?i)\.(bak)$</field>
    <description>[File Deleted] Critical or monitored file deleted: $(syscheck.path)</description>
    <email_to> a...@email.com </email_to>
    <mitre>
      <id>T1070.004</id>
      <id>T1485</id>
    </mitre>
  </rule>
</group>


Regards,

Diwahar

Bony V John

unread,
May 19, 2026, 11:49:57 PM (3 days ago) May 19
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
May 20, 2026, 12:43:38 AM (3 days ago) May 20
to Wazuh | Mailing List
Hi,

The XML error shown on the dashboard while trying to save the custom rules is due to syntax issues in your custom rules.

There are some incorrect field names and syntax issues in the rules you shared. Your custom rules should look like the example below. I tested this on my end, and it is working fine.

Correct rule syntax:

<group name="awsfim,">

  <rule id="110804" level="15">
    <if_sid>554</if_sid>
    <list field="hostname" lookup="match_key">etc/lists/serverlist</list>
    <field name="file" type="pcre2">\.*.bak$</field>
    <description>[File Created] Suspicious or monitored file type created: $(file)</description>

    <mitre>
      <id>T1105</id>
      <id>T1566</id>
    </mitre>
  </rule>

  <rule id="110805" level="15">
    <if_sid>550</if_sid>
    <list field="hostname" lookup="match_key">etc/lists/serverlist</list>
    <field name="file" type="pcre2">\.*.bak$</field>
    <description>[File Modified] Suspicious or monitored file type modified: $(file)</description>

    <mitre>
      <id>T1565.001</id>
    </mitre>
  </rule>

  <rule id="110808" level="15">
    <if_sid>553</if_sid>
    <list field="hostname" lookup="match_key">etc/lists/serverlist</list>
    <field name="file" type="pcre2">\.*.bak$</field>
    <description>[File Deleted] Critical or monitored file deleted: $(file)</description>

    <mitre>
      <id>T1070.004</id>
      <id>T1485</id>
    </mitre>
  </rule>
</group>

In the above rules, I updated the agent.name field to hostname.

agent.name is metadata and is not part of the raw log, so it cannot be used in the <list> lookup condition for this case. Instead, you can use the hostname field, which contains the server hostname and can help identify where the event came from.

I also updated the regex pattern in the <field> tag to match file paths that end with the .bak extension.

Also, while creating custom rules for FIM events, there are some differences in the field names. In this case, the correct field name to check the file path is file, not syscheck.path.

You can refer to the Wazuh custom FIM rules documentation to confirm the correct field names.

Also, it seems that you added an <email_to> tag inside the custom rule to send an email alert to a recipient when the rule is triggered. This is not correct. The recipient email address cannot be configured directly inside a Wazuh rule. It should be configured in the Wazuh manager ossec.conf file.

There is no <email_to> tag in the Wazuh rules syntax. You can refer to the Wazuh rules syntax documentation for more details.

Save the custom rules and reload the Wazuh rule engine to apply them.


Screenshot 2026-05-20 101243.png


For email alerts related to these custom rules, I assume that you have already configured email alerts on the Wazuh manager. If not, you can refer to the Wazuh email alert configuration documentation.

After configuring email alerts, edit the Wazuh manager configuration file:

/var/ossec/etc/ossec.conf

Change the <email_alert_level> value from 12 to 3 to allow email alerting for lower-level alerts as well.

Then add the below configuration block:

<email_alerts>
  <email_to>y...@example.com</email_to>
  <group>awsfim,</group>
</email_alerts>

Then restart the Wazuh manager service.

This will send alerts triggered with the awsfim rule group to y...@example.com.

Replace y...@example.com with the email address that should receive the alerts.

You can refer to the Wazuh email alert configuration documentation for more details.

Please let me know if you have any further questions or need any assistance.

DIWAHAR RAHAWID

unread,
May 21, 2026, 6:23:12 AM (2 days ago) May 21
to Wazuh | Mailing List
Hi John, 

Worked perfectly thank you for the support. 

Regards
Diwahar
Reply all
Reply to author
Forward
0 new messages