Help with a rule

70 views
Skip to first unread message

Facu Basgall

unread,
Dec 10, 2025, 8:09:39 AM (7 days ago) Dec 10
to Wazuh | Mailing List

I want to make a filtering rule on the rule 60204 (Multiple Logon Failure Windows) for when it is a list of User and PC to lower the level.

I have a FileServer "FS-001" where the users log in, so for example:

If it is Juan in the Workstation 001 lower the level because it is correct

If it is Marta in the Workstation 002 lower the level because it is correct

But if it is Marta in the Workstation 001 keep the level.


I have the list of users with their allowed workstations.


Luis Enrique Chico Capistrano

unread,
Dec 10, 2025, 9:07:50 AM (7 days ago) Dec 10
to Wazuh | Mailing List
Hi Facu Basgall,

Based on your requirements, the best approach is to use CDB lists. You will find some examples in that document.

Also, here is some reference that could be useful:

If you need some help with this, I will need some examples of logs that you have received, including the login information for the different users.

Facu Basgall

unread,
Dec 12, 2025, 7:14:57 AM (5 days ago) Dec 12
to Wazuh | Mailing List

Can you please give me an example rule?

I have tried with CDB List but it didn't work as expected

Each user has only one authorised workstation, if it happens from that user on that workstation it is not an alert but if the user or the workstation is different it is. 

Luis Enrique Chico Capistrano

unread,
Dec 12, 2025, 7:29:37 PM (5 days ago) Dec 12
to Wazuh | Mailing List
Hi Facu, 

As I mentioned before, it would be great to have a Windows event so I could test it locally. The idea should be something like this:

1. Create the CDB List File

cat /var/ossec/etc/lists/authorized_workstations 
  Juan:001
  Marta:002

2. Register the CDB List in ossec.conf

  Location: /var/ossec/etc/ossec.conf

  Add this block at the end of the file (before the final </ossec_config>):

  <ossec_config>
    <ruleset>
      <list>etc/lists/authorized_workstations</list>
    </ruleset>
  </ossec_config>

 3. Create the Custom Rule

  Location: /var/ossec/etc/rules/local_rules.xml

  Add this rule inside the file:

  <group name="local,windows,authentication,">

    <!-- Rule to lower level when user logs in from their authorized workstation -->
    <rule id="100100" level="3">
      <if_sid>60204</if_sid>
      <field name="win.system.computer">^FS-001$</field>
      <list field="win.eventdata.targetUserName" lookup="match_key_value" check_value="win.eventdata.workstationName">etc/lists/authorized_workstations</list>
      <description>Multiple Windows Logon Failures on FS-001 - User on authorized workstation (level lowered)</description>
      <options>no_full_log</options>
      <group>authentication_failures,authorized_workstation,</group>
    </rule>

  </group>

4. Restart Wazuh Manager

Facu Basgall

unread,
6:43 AM (9 hours ago) 6:43 AM
to Wazuh | Mailing List

Thank you very much, that's what I was expecting ❤️

Reply all
Reply to author
Forward
0 new messages