Create rule for custom log

[ektadhu...@gmail.com]

Hi Team,

I have created custom decoder for office365 logs and log format coming to kibana is attached in given file.

I want to create rule where location.country is different in one hour.

How I can achieve this?

Regards,

Ekta

[Christian Borla]

Hi Ekta

I hope you are doing fine!

I glad to know that you had created a custom decoder and rule. To achieve yours new requirements it's necessary create a new custom rule with "frequency and time frame" functionality. 

Wazuh included <different_location /> option, this option specifies that the decoded location must be different. This option is used in conjunction with frequency and timeframe. It's useful if you completed location field with comming location.country field.

Link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#different-location

For your case, I guess we can use <different_field> option, as following sample:  

<rule id="100002" level="10" frequency="1" timeframe="3600">

  <if_matched_sid>100001</if_matched_sid>                              <------- Set your custom rule id

  <different_field>data.location.country</different_field>

  <description>Different Location Country</description>           <------- Configure the name as you want

</rule>

Description:

• if_matched_sid: Number of parent rule, in this case the number of your custom rule.
• Frequency: Number of times the rule must have matched before firing. 1 time for your case. 
• Timeframe: In seconds. This option is intended to be used with the frequency option. 3600 seconds for your case.

Find more samples into following link:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#not-same-field

Let me know if that works.

Regards.

[ektadhu...@gmail.com]

  Hi Christian,

I have created rule as below:

<rule id="100084" level="12" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>

  <different_field>data.location.country</different_field>

  <description>User logged in from two different location</description>

</rule>

This rule should trigger when value for data.location.country is different for same user. Please verify if it is correct or not.

Regards,

Ekta

[Christian Borla]

Hi Ekta.

I hope you are doing fine!

Sorry for the delay, Did you test it? 
If you want to validet also same user, it should include an extra condition. <same_user />

<rule id="100084" level="12" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>
  <same_user />

  <different_field>data.location.country</different_field>

  <description>User logged in from two different location</description>

</rule>

It will works, if your custom decoder set your user log into default user field. If you have a different name field for your user, change <same_user /> condition by  <same_field>yourUserFiledName</same_field>. as following link sample https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field

Let me know if that works.
Regards.

[ektadhu...@gmail.com]

Hi Christian,

I have created rule like this:

<rule id="100185" level="5" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>

  <same_field>userDisplayName</same_field>

  <different_field>data.location.country</different_field>

  <description>User logged in from two different location</description>

</rule>

But it is triggering even if data.location.country is same i.e. countryOrRegion=IN.

Regards,

Ekta

[Christian Borla]

Hi Ekta

I hope you are doing fine!

Sorry, try deleting data. from data.location.country as following:

<rule id="100185" level="5" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>

  <same_field>userDisplayName</same_field>

  <different_field>location.country</different_field>

  <description>User logged in from two different location</description>

</rule>  

In another hand, I would like have a sample log to analyze it, I have my doubts about userDisplayName. 

The attached log.png capture, doesn't include userDisplayName field. 

Let me Known if that works.

Regards.

[ektadhu...@gmail.com]

Hi Christian

Please find the log sample.

Regards,

Ekta

[Christian Borla]

Hi  Ekta
I hope you are doing fine!

Did custom rule works as expected?

Please, look for some sample log string into /var/ossec/logs/archive/archives.json (manager side). 

If archives file doesn't exist, double check manager ossec.conf include log 'all' options as following configuration and restart the manager.

<ossec_config>

<global>

<alerts_log>yes</alerts_log>

<logall>yes</logall>

</global>

Another option is try with a secon custom rule, but in that case it will trigger if first rule trigger 4 times. 
Conditions are:  
2 times event 100185 will trigger first condition of rules 100186 but not trigger an alert, 2 more times event 100185 will trigger an alert of 100186.

<rule id="100185" level="5" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>

  <same_field>userDisplayName</same_field>

  <description>User logged twice in a hour</description>

</rule>

<rule id="100186" level="12" frequency="2" timeframe="3600">

  <if_matched_sid>100185</if_matched_sid>

  <different_field>data.location.country</different_field>

  <description>User logged in from two different location</description>

</rule>

[Christian Borla]

Hi Ekta. 
Sorry, I forgot update rule 100186.

<rule id="100185" level="5" frequency="2" timeframe="3600">

  <if_matched_sid>100142</if_matched_sid>

  <same_field>userDisplayName</same_field>

  <description>User logged twice in a hour</description>

</rule>

<rule id="100186" level="12" frequency="2" timeframe="3600">

  <if_matched_sid>100185</if_matched_sid>

  <different_field>location.country</different_field>

  <description>User logged in from two different location</description>

</rule>

Let me know if that works.
Regards.