Custom Correlation Rule for Config Changes Not Working as Expected in Wazuh 4.3.8

[Mithun Haridas]

Hi Team,

I'm working on setting up a custom correlation rule in Wazuh to detect Forcepoint SMC config changes and identify who made the change, since the logs only show the event but not the user responsible.  

When a config change event occurs, I want my rule to look back 3 hours for any login events, and then correlate the two. I’ve created the rule accordingly and in Wazuh version 4.10 (test environment), it works perfectly — multiple config change events within 3 hours correctly generate alerts with associated login events.

When I deploy the same rule on a Wazuh 4.3.8 server:

• Only one config change event in 3 hours triggers the alert.
• Other events that should also match the criteria are not triggering any alert.
• I double-checked the logs and rule syntax; nothing seems wrong.
• Remaining config change events are landing in parent rule for configuration change.

My query is: 

1. What could be the reason for this inconsistent behavior between Wazuh 4.10 and 4.3.8?
2. How can I fix this?
   

I am attaching the custom rules I have created and the screenshots of the result.

I would really appreciate any guidance on how to resolve this issue.

Thank you in advance for your support,

[Mithun Haridas]

Hi Team,

Could someone please help me resolve this issue?

[Ifeanyi Onyia Odike]

Hi Mithun

The Wazuh ruleset engine has undergone several changes from version 4.3.8, specifically regarding how correlation can be orchestrated.
It's difficult for me to pinpoint precisely which version had these changes; however, we recommend upgrading your Wazuh deployment to the current version 4.12.0.

This makes it easy for us to assist with troubleshooting your ruleset.