Help with a rule

[Facu Basgall]

I want to make a filtering rule on the rule 60204 (Multiple Logon Failure Windows) for when it is a list of User and PC to lower the level.

I have a FileServer "FS-001" where the users log in, so for example:

If it is Juan in the Workstation 001 lower the level because it is correct

If it is Marta in the Workstation 002 lower the level because it is correct

But if it is Marta in the Workstation 001 keep the level.

I have the list of users with their allowed workstations.

[Luis Enrique Chico Capistrano]

Hi Facu Basgall,

Based on your requirements, the best approach is to use CDB lists. You will find some examples in that document.

Also, here is some reference that could be useful:

• Rules syntax

If you need some help with this, I will need some examples of logs that you have received, including the login information for the different users.

[Facu Basgall]

Can you please give me an example rule?

I have tried with CDB List but it didn't work as expected

Each user has only one authorised workstation, if it happens from that user on that workstation it is not an alert but if the user or the workstation is different it is. 

[Luis Enrique Chico Capistrano]

Hi Facu, 

As I mentioned before, it would be great to have a Windows event so I could test it locally. The idea should be something like this:

1. Create the CDB List File

cat /var/ossec/etc/lists/authorized_workstations 

  Juan:001
  Marta:002

2. Register the CDB List in ossec.conf

  Location: /var/ossec/etc/ossec.conf

  Add this block at the end of the file (before the final </ossec_config>):

  <ossec_config>
    <ruleset>
      <list>etc/lists/authorized_workstations</list>
    </ruleset>
  </ossec_config>

 3. Create the Custom Rule

  Location: /var/ossec/etc/rules/local_rules.xml

  Add this rule inside the file:

  <group name="local,windows,authentication,">

    <!-- Rule to lower level when user logs in from their authorized workstation -->
    <rule id="100100" level="3">
      <if_sid>60204</if_sid>
      <field name="win.system.computer">^FS-001$</field>
      <list field="win.eventdata.targetUserName" lookup="match_key_value" check_value="win.eventdata.workstationName">etc/lists/authorized_workstations</list>
      <description>Multiple Windows Logon Failures on FS-001 - User on authorized workstation (level lowered)</description>
      <options>no_full_log</options>
      <group>authentication_failures,authorized_workstation,</group>
    </rule>

  </group>

4. Restart Wazuh Manager

[Facu Basgall]

Hi, the ruler is not working as expected.

It is still capturing the event of the rule 60204 even if the conditions of the new created rule are fulfilled.

I attach images about the case

El miércoles, 17 de diciembre de 2025 a las 8:43:57 UTC-3, Facu Basgall escribió:

Thank you very much, that's what I was expecting ❤️

[Luis Enrique Chico Capistrano]

Hi Facu,

Sorry for the delay. I want to reproduce your test, but to do so, I need you to share the event exactly as the manager received it.

Could you enable the archive.log (see documentation) by setting <logall> to yes in the ossec.conf file?

Afterward, please find the raw event in /var/ossec/logs/archives/archives.log and share it with me. I need that specific event so I can test it locally.

[Facu Basgall]

Hi! You won't be able to test it locally as they are events coming from EventChannel and Wazuh (as far as I understand) doesn't allow testing of these events

Please help me with the rule.