Rules Syntax
The ThreatLockDown Ruleset combined with any customs rules is used to analyze incoming events and generate alerts when appropriate. The Ruleset is in constant expansion and enhancement thanks to the collaborative effort of our developers and our growing community.
Our aim is to provide the best guidance possible for anyone who may be looking into developing their own custom rules. Remember that you can always contribute to our community.
Overview
The xml labels used to configure rules
are listed here.
Option |
Values |
Description |
---|---|---|
See table below. |
Its starts a new rule and its defining options. |
|
Any regular expression. |
It will attempt to find a match in the log using sregex by default, deciding if the rule should be triggered. |
|
Any regular expression. |
It does the same as |
|
Any decoder's name. |
It will match with logs that have been decoded by a specific decoder. |
|
Any type. |
It will match with logs whose decoder's type concur. |
|
Name and any regular expression. |
It will compare a field extracted by the decoder in order with a regular expression. |
|
Any IP address. |
It will compare the IP address with the IP decoded as |
|
Any IP address. |
It will compare the IP address with the IP decoded as |
|
Any regular expression. |
It will compare a regular expression representing a port with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a port with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a data with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing an extra data with a value decoded
as |
|
Any regular expression. |
It will compare a regular expression representing a user with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a system name with a value decoded
as |
|
Any regular expression. |
It will compare a regular expression representing a program name with a value pre-decoded
as |
|
Any regular expression. |
It will compare a regular expression representing a protocol with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a hostname with a value pre-decoded
as |
|
Any time range. e.g. (hh:mm-hh:mm) |
It checks if the event was generated during that time range. |
|
monday - sunday, weekdays, weekends |
It checks whether the event was generated during certain weekdays. |
|
Any regular expression. |
It will compare a regular expression representing an ID with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a URL with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a location with a value pre-decoded
as |
|
Any String or regular expression. |
It will compare a string or regular expression representing an action with a value decoded
as |
|
Any regular expression. |
It will compare a regular expression representing a status with a value decoded as |
|
Any regular expression. |
It will compare a regular expression representing a GeoIP source with a value decoded
as |
|
Any regular expression. |
It will compare a regular expression representing a GeoIP destination with a value decoded
as |
|
A list of rule IDs separated by commas or spaces. |
It works similar to parent decoder. It will match when a rule ID on the list has previously matched. |
|
Any group name. |
It will match if the indicated group has matched before. |
|
Any level from 1 to 16. |
It will match if that level has already been triggered by another rule. |
|
Any rule ID (Number). |
Similar to |
|
Any group name. |
Similar to |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The |
|
None. |
The |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
None. |
The decoded |
|
Any String. |
Provides a human-readable description to explain what is the purpose of the rule. Please, use this field when creating custom rules. |
|
Path to the CDB file. |
Perform a CDB lookup using an ossec list. |
|
Any String. |
Extra information using certain attributes. |
|
See the table below. |
Additional rule options that can be used. |
|
None. |
Determines when the output of a command changes. |
|
Any String. |
Add additional groups to the alert. |
|
See Mitre table below. |
Contains Mitre Technique IDs that fit the rule |
|
Name for the variable. Most used: BAD_WORDS |
Defines a variable that can be used anywhere inside the same file. |
group
Groups categorize alerts. They allow filtering related alerts in the ThreatLockDown dashboard.
The default ThreatLockDown ruleset already includes rules that use groups like syscheck,
, attack,
, and syslog,
. As an example, you can filter alerts for these categories by querying rule.groups: attack
or rule.groups: (syscheck OR syslog)
in the ThreatLockDown dashboard.
Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the <group name="GROUP1_NAME,GROUP2_NAME,">
element. For example:
<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
</rule>
</group>
You can also specify additional groups by including the <group>
element within the rule definition. For example:
<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
<group>syscheck,fim_db_state,</group>
</rule>
</group>
To define rules that trigger only if another rule in a specific group has triggered, check the if_group and if_matched_group options.
rule
<rule>
is the label that starts the block that defines a rule. In this section, different options for this label are explained.
level |
Definition |
Specifies the level of the rule. Alerts and responses use this value. |
Allowed values |
0 to 16 |
|
id |
Definition |
Specifies the ID of the rule. |
Allowed values |
Any number from 1 to 999999 |
|
maxsize |
Definition |
Specifies the maximum size of the event. |
Allowed values |
Any number from 1 to 9999 |
|
frequency |
Definition |
Number of times the rule must have matched before firing. |
Allowed values |
Any number from 2 to 9999 |
|
timeframe |
Definition |
The timeframe in seconds. This option is intended to be used with the frequency option. |
Allowed values |
Any number from 1 to 99999 |
|
ignore |
Definition |
The time (in seconds) to ignore this rule after firing it (to avoid floods). |
Allowed values |
Any number from 1 to 999999 |
|
overwrite |
Definition |
Used to supersede a rule with local changes. To maintain consistency between loaded rules, |
Allowed values |
yes, no |
|
noalert |
Definition |
Not trigger an alert if the rule matches. |
Allowed values |
|
Example:
<rule id="3151" level="10" frequency="8" timeframe="120"> <if_matched_sid>3102</if_matched_sid> <same_source_ip /> <description>sendmail: Sender domain has bogus MX record. </description> <description>It should not be sending e-mail.</description> <mitre> <id>T1114</id> <id>T1499</id> </mitre> <group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>
The rule is created with ID: 3151
and it will trigger a level 10 alert if the rule 3102
has matched 8 times in the last 120 seconds.
match
Used as a requisite to trigger the rule. It will search for a match in the log event.
Default Value |
n/a |
Allowed values |
Example:
<rule id="100001" maxsize="300" level="3"> <if_sid>100200</if_sid> <match>Queue flood!</match> <description>Flooded events queue.</description> </rule>
If the rule matches the id
100200 and the log contains the Queue flood!
phrase in it, rule activates and triggers a level 3 alert.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If match
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
regex
Used as a requisite to trigger the rule. It will search for a match in the log event.
Default Value |
n/a |
Allowed values |
Example:
<rule id="100001" level="3"> <if_sid>100500</if_sid> <regex>\d+.\d+.\d+.\d+</regex> <description>Matches any valid IP</description> </rule>
If the rule matches the ìd
100500 and the event contains any valid IP, the rule is triggered and generates a level 3 alert.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osregex |
osregex |
osmatch |
|||
pcre2 |
If regex
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
decoded_as
Used as a requisite to trigger the rule. It will be triggered if the event has been decoded by a certain decoder
. Useful to group rules and have child rules inheriting from it.
Default Value |
n/a |
Allowed values |
Any decoder name |
Example:
<rule id="53500" level="0"> <decoded_as>smtpd</decoded_as> <description>OpenSMTPd grouping.</description> </rule>
The rule will be triggered if the event was decoded by the smtpd
decoder. Now is possible to make more rules that will inherit from this one, specifically made for OpenSMTPd events.
category
Used as a requisite to trigger the rule. It will be triggered if the decoder
included that log in said category.
Default Value |
n/a |
Allowed values |
Any type |
Example:
<rule id="01" level="0" noalert="1"> <category>syslog</category> <description>Generic template for all syslog rules.</description> </rule>
The rule will be triggered if the event has previously been cataloged syslog
by the decoder, but it will not trigger an alert. Instead, it will be matched by other rules that might trigger alerts if needed.
field
Used as a requisite to trigger the rule. It will check for a match in the content of a field extracted by the decoder.
Default Value |
n/a |
Allowed values |
Below is the list of attributes.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
name |
specifies the name of the field extracted by the decoder. |
n/a |
n/a |
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osregex |
osregex |
osmatch |
|||
pcre2 |
Example:
<rule id="87100" level="0"> <decoded_as>json</decoded_as> <field name="integration">virustotal</field> <description>VirusTotal integration messages.</description> <options>no_full_log</options> </rule>
This rule, groups events decoded from json that belong to an integration called VirusTotal. It checks the field decoded as integration
and if its content is virustotal
the rule is triggered.
srcip
Used as a requisite to trigger the rule. It will compare any IP address or CIDR block to an IP decoded as srcip. Use "!" to negate it.
Default Value |
n/a |
Allowed values |
Any srcip |
Example:
<rule id="100105" level="8"> <if_sid>100100</if_sid> <srcip>10.25.23.12</srcip> <description>Forbidden srcip has been detected.</description> </rule>
This rule will trigger when that exact scrip
has been decoded.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
If srcip
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
dstip
Used as a requisite to trigger the rule. It will compare any IP address or CIDR block to an IP decoded as dstip. Use "!" to negate it.
Default Value |
n/a |
Allowed values |
Any dstip |
Example:
<rule id="100110" level="5"> <if_sid>100100</if_sid> <dstip>!198.168.41.30</dstip> <description>A different dstip has been detected.</description> </rule>
This rule will trigger when an dstip
different from 198.168.41.30
is detected.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
If dstip
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
srcport
Used as a requisite to trigger the rule. It will check the source port (decoded as srcport
).
Default Value |
n/a |
Allowed values |
Example:
<rule id="100110" level="5"> <if_sid>100100</if_sid> <srcport type="pcre2">^5000[0-7]$</srcport> <description>Source port $(srcport) is detected.</description> </rule>
This rule will trigger when srcport
is in the range of 50000 to 50007.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If srcport
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
dstport
Used as a requisite to trigger the rule. It will check the destination port (decoded as dstport
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If dstport
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
data
Used as a requisite to trigger the rule. It will check the data (decoded as data
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If data
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
extra_data
Used as a requisite to trigger the rule. It will compare any string with the one decoded into the extra_data field.
Default Value |
n/a |
Allowed values |
Example:
<rule id="7301" level="0"> <category>windows</category> <extra_data>^Symantec AntiVirus</extra_data> <description>Grouping of Symantec AV rules from eventlog.</description> </rule>
This rule will trigger when the log belongs to windows
category and the decoded field extra_data
is: Symantec AntiVirus
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If extra_data
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
user
Used as a requisite to trigger the rule. It will check the username (decoded as user
).
Default Value |
n/a |
Allowed values |
Example:
<rule id="140101" level="12"> <if_group>authentication_success</if_group> <user negate="yes">wazuh|root</user> <description>Unexpected user successfully logged to the system.</description> </rule>
This rule will trigger when a user different from root
or wazuh
successfully login into the system.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If user
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
system_name
Used as a requisite to trigger the rule. It will check the system name (decoded as system_name
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If system_name
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
program_name
Used as a requisite to trigger the rule. The program's name is decoded from syslog process name.
Default Value |
n/a |
Allowed values |
Example:
<rule id="1005" level="5"> <program_name>syslogd</program_name> <match>^restart</match> <description>Syslogd restarted.</description> <group>pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group> </rule>
The rule will trigger when the program Syslogd restarted.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If program_name
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
protocol
Used as a requisite to trigger the rule. It will check the protocol (decoded as protocol
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If protocol
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
hostname
Used as a requisite to trigger the rule. Any hostname (decoded as the syslog hostname) or log file.
Default Value |
n/a |
Allowed values |
Example:
<rule id="2931" level="0"> <hostname>yum.log$</hostname> <match>^Installed|^Updated|^Erased</match> <description>Yum logs.</description> </rule>
This rule will group rules for Yum logs
when something is either being installed, updated or erased.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If hostname
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
time
Used as a requisite to trigger the rule. Used for checking the time that the event was generated.
Default Value |
n/a |
Allowed values |
Any time range (hh:mm-hh:mm, hh:mm am-hh:mm pm, hh-hh, hh am-hh pm) |
Example:
<rule id="17101" level="9"> <if_group>authentication_success</if_group> <time>6 pm - 8:30 am</time> <description>Successful login during non-business hours.</description> <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group> </rule>
This rule will trigger when there is a successful login between 6 pm and 8 am.
weekday
Used as a requisite to trigger the rule. Checks the weekday that the event was generated.
Default Value |
n/a |
Allowed values |
monday - sunday, weekdays, weekends |
Example:
<rule id="17102" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group> </rule>
This rule will trigger when there is a successful login during the weekend.
id
Used as a requisite to trigger the rule. It will check any ID (decoded as the ID).
Default Value |
n/a |
Allowed values |
Example:
<rule id="81100" level="0"> <decoded_as>kernel</decoded_as> <id>usb</id> <description>USB messages grouped.</description> </rule>
This rule will group the logs whose decoded ID is usb.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If id
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
url
Used as a requisite to trigger the rule. It will check any URL (decoded as the URL).
Default Value |
n/a |
Allowed values |
Example:
<rule id="31102" level="0"> <if_sid>31101</if_sid> <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url> <compiled_rule>is_simple_http_request</compiled_rule> <description>Ignored extensions on 400 error codes.</description> </rule>
This rule is a child from a level 5 rule 31101
and becomes a level 0 rule when it confirms that the extensions are nothing to worry about.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If url
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
location
Used as a requisite to trigger the rule. It will check the content of the field location and trying to find a match.
Default Value |
n/a |
Allowed values |
The location identifies the origin of the input. If the event comes from an agent, its name and registered IP address (as it was added) is appended to the location.
Example of a location for a log pulled from "/var/log/syslog" in an agent with name "dbserver" and registered with IP "any":
(dbserver) any->/var/log/syslog
The following components use a static location:
Component |
Location |
Windows Eventchannel |
EventChannel |
Windows Eventlog |
WinEvtLog |
FIM (Syscheck) |
syscheck |
Rootcheck |
rootcheck |
Syscollector |
syscollector |
Vuln Detector |
vulnerability-detector |
Azure Logs |
azure-logs |
AWS S3 integration |
aws-s3 |
Docker integration |
Wazuh-Docker |
Osquery integration |
osquery |
OpenSCAP integration |
open-scap |
CIS-CAT integration |
wodle_cis-cat |
SCA module |
sca |
Example:
<rule id="24000" level="3"> <location>osquery$</location> <description>osquery message</description> </rule>
This rule, groups logs that come from osquery
location. Triggering a level 3 alert for it.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If location
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
action
Used as a requisite to trigger the rule. It will check any action (decoded as the ACTION).
Default Value |
n/a |
Allowed values |
Example:
<rule id="4502" level="4"> <if_sid>4500</if_sid> <action type="osregex">warning|WARN</action> <description>Netscreen warning message.</description> </rule>
This rule will trigger a level 4 alert when the decoded action from Netscreen is warning
or WARN
.
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
string |
osregex |
|||
pcre2 |
Note
Use type
attribute only for regular expression match. It must be omitted if action
field try to match a string.
If action
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
status
Checks the actual status of an event.
Default Value |
n/a |
Allowed values |
Example:
<rule id="213" level="7"> <if_sid>210</if_sid> <status>aborted</status> <description>Remote upgrade could not be launched. Error: $(error).</description> <group>upgrade,upgrade_failure,</group> </rule>
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If status
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
srcgeoip
Used as a requisite to trigger the rule. It will check the GeoIP source (decoded as srcgeoip
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If srcgeoip
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
dstgeoip
Used as a requisite to trigger the rule. It will check the GeoIP destination (decoded as dstgeoip
).
Default Value |
n/a |
Allowed values |
The attributes below are optional.
Attribute |
Description |
Value range |
Default value |
---|---|---|---|
negate |
allows to negate the regular expression |
no |
no |
yes |
|||
type |
allows to set regular expression type |
osmatch |
osmatch |
osregex |
|||
pcre2 |
If dstgeoip
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value will be used.
if_sid
Used as a requisite to trigger the rule. Matches when an ID on the list has previously matched. It is similar to a child decoder, with the key difference that alerts can have as many descendants as necessary, whereas decoder cannot have "grandchildren".
Default Value |
n/a |
Allowed values |
Any rule ID. Multiple values must be separated by commas or spaces. |
Example:
<rule id="100110" level="5"> <if_sid>100100, 100101</if_sid> <match>Error</match> <description>There is an error in the log.</description> </rule>
The rule 100110
is triggered when either of the parent rules has matched and the logs contain the word "Error".
if_group
Used as a requisite to trigger the rule. Matches if the group has matched before.
Default Value |
n/a |
Allowed values |
Any Group |
Example:
<rule id="184676" level="12"> <if_group>sysmon_event1</if_group> <field name="sysmon.image">lsm.exe</field> <description>Sysmon - Suspicious Process - lsm.exe</description> <group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,</group> </rule>
The rule matches if the group sysmon_event1
has previously matched before and if the field decoded as sysmon.image
is "lsm.exe".
if_level
Matches if the level has matched before.
Default Value |
n/a |
Allowed values |
Any level from 1 to 16 |
if_matched_sid
Matches if an alert of the defined ID has been triggered in a set number of seconds.
This option is used in conjunction with frequency
and timeframe
.
Default Value |
n/a |
Allowed values |
Any rule id |
Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.
Example:
<rule id="30316" level="10" frequency="10" timeframe="120">
<if_matched_sid>30315</if_matched_sid>
<same_source_ip />
<description>Apache: Multiple Invalid URI requests from same source.</description>
<mitre>
<id>T1499</id>
</mitre>
<group>gdpr_IV_35.7.d,hipaa_164.312.b,invalid_request,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
The rule is triggered when rule 30315 has been triggered 10 times in 120 seconds and if the requests were made by the same srcip
.
if_matched_group
Matches if an alert of the defined group has been triggered in a set number of seconds.
This option is used in conjunction with frequency
and timeframe
.
Default Value |
n/a |
Allowed values |
Any Group |
Example:
<rule id="40113" level="12" frequency="8" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,nist_800_53_SI.3,nist_800_53_SI.4,</group> </rule>
The rule will trigger when the group virus
has been matched 8 times in the last 360 seconds.
if_fts
Makes the decoder that processed the event to take the fts line into consideration.
Example of use |
<if_fts /> |
Note
The dynamic filters same_field or not_same_field will not work with the static fields (user, srcip, dstip, etc.) and the specific ones have to be used instead.
same_id
Specifies that the decoded id must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_id /> |
different_id
Specifies that the decoded id must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_id /> |
same_srcip
Specifies that the decoded source IP address must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_srcip /> |
Deprecated label same_source_ip
works like an alias for same_srcip
.
different_srcip
Specifies that the decoded source IP address must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_srcip /> |
Deprecated label not_same_source_ip
works like an alias for different_srcip
.
same_dstip
Specifies that the decoded destination IP address must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_dstip /> |
different_dstip
Specifies that the decoded destination IP address must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_dstip /> |
same_srcport
Specifies that the decoded source port must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_srcport /> |
different_srcport
Specifies that the decoded source port must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_srcport /> |
same_dstport
Specifies that the decoded destination port must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_dstport /> |
different_dstport
Specifies that the decoded destination port must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_dstport /> |
same_location
Specifies that the location must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_location /> |
different_location
Specifies that the decoded location must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_location /> |
same_srcuser
Specifies that the decoded source user must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_srcuser /> |
different_srcuser
Specifies that the decoded source user must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_srcuser /> |
same_user
Specifies that the decoded user must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_user /> |
different_user
Specifies that the decoded user must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_user /> |
same_field
The value of the dynamic field specified in this option must appear in previous events a frequency
number of times within the required timeframe
.
Example of use |
<same_field>key</same_field> |
As an example of this option, check these rules:
<!-- {"key":"value", "key2":"AAAA"} -->
<rule id="100001" level="3">
<decoded_as>json</decoded_as>
<field name="key">value</field>
<description>Testing JSON alert</description>
</rule>
<rule id="100002" level="10" frequency="4" timeframe="300">
<if_matched_sid>100001</if_matched_sid>
<same_field>key2</same_field>
<description>Testing same_field option</description>
</rule>
Rule 100002 will fire when key2
in the currently considered event is the same in four events that matched rule 100001 before within the last 300 seconds. Therefore, for the following events sequence:
{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"BBBB"}
{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"CCCC"}
{"key":"value", "key2":"CCCC"}
{"key":"value", "key2":"AAAA"}
The last event will fire rule 100002 instead of 100001 because it found the value AAAA
in three of the previous events. The corresponding alert looks like this one:
{
"timestamp": "2020-03-04T03:00:28.973-0800",
"rule": {
"level": 10,
"description": "Testing same_field option",
"id": "100002",
"frequency": 4,
"firedtimes": 1,
"mail": false,
"groups": [
"local"
]
},
"agent": {
"id": "000",
"name": "ubuntu"
},
"manager": {
"name": "ubuntu"
},
"id": "1583319628.14426",
"previous_output": "{\"key\":\"value\",\"key2\":\"AAAA\"}\n{\"key\":\"value\",\"key2\":\"AAAA\"}\n{\"key\":\"value\",\"key2\":\"AAAA\"}",
"full_log": "{\"key\":\"value\",\"key2\":\"AAAA\"}",
"decoder": {
"name": "json"
},
"data": {
"key": "value",
"key2": "AAAA"
},
"location": "/root/test.log"
}
different_field
It is the opposite setting of same_field
. The value of the dynamic field specified in this option must be different than the ones found in previous events a frequency
number of times within the required timeframe
.
Example of use |
<different_field>key2</different_field> |
global_frequency
Specifies that the events of all agents will be contemplated when using the
frequency and timeframe
options. By default, only the events generated by
the same agent will be taken into account to increase the frequency counter for a rule.
Example of use |
<global_frequency /> |
Warning
Although the label contains the word global, this option works at manager level, not at cluster level.
same_protocol
Specifies that the decoded protocol must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_protocol /> |
different_protocol
Specifies that the decoded protocol must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_protocol /> |
same_action
Specifies that the decoded action must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_action /> |
different_action
Specifies that the decoded action must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_action /> |
same_data
Specifies that the decoded data must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_data /> |
different_data
Specifies that the decoded data must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_data /> |
same_extra_data
Specifies that the decoded extra data must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_extra_data /> |
different_extra_data
Specifies that the decoded extra data must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_extra_data /> |
same_status
Specifies that the decoded status must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_status /> |
different_status
Specifies that the decoded status must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_status /> |
same_system_name
Specifies that the decoded system name must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_system_name /> |
different_system_name
Specifies that the decoded system name must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_system_name /> |
same_url
Specifies that the decoded url must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_url /> |
different_url
Specifies that the decoded url must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_url /> |
same_srcgeoip
Specifies that the source geoip location must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_srcgeoip /> |
different_srcgeoip
Specifies that the source geoip location must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_srcgeoip /> |
Example:
As an example of these last options, check this rule:
<rule id=100005 level="0"> <match> Could not open /home </match> <same_user /> <different_srcgeoip /> <same_dstport /> </rule>That rule filters when the same
user
tries to open file/home
but returns an error, on a differentip
and using the sameport
.
same_dstgeoip
Specifies that the destination geoip location must be the same.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<same_dstgeoip /> |
different_dstgeoip
Specifies that the destination geoip location must be different.
This option is used in conjunction with frequency
and timeframe
.
Example of use |
<different_dstgeoip /> |
description
Specifies a human-readable description to the rule in order to provide context to each alert regarding the nature of the events matched by it.
Default Value |
n/a |
Allowed values |
Any string |
Examples:
<rule id="100015" level="2"> ... <description> A timeout occurred. </description> </rule> <rule id="100035" level="4"> ... <description> File missing. Root access unrestricted. </description> </rule>
Since ThreatLockDown version 3.3 it is possible to include any decoded field (static or dynamic) to the description message. You can use the following syntax: $(field_name)
to add a field to the description.
Example:
<rule id="100005" level="8"> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user from IP $(attempt_ip)</description> <options>no_log</options> </rule>
If description
label is declared multiple times within the rule, the following rules apply:
The resulting value is their concatenation.
list
Perform a CDB lookup using an ossec list. This is a fast on-disk database which will always find keys within two seeks of the file.
Default Value |
n/a |
Allowed values |
Path to the CDB file to be used for lookup from the OSSEC directory. Must also be included in the ossec.conf file. |
Attribute |
Description |
|
field |
key in the CDB: srcip, srcport, dstip, dstport, extra_data, user, url, id, hostname, program_name, status, action, dynamic field. |
|
lookup |
match_key |
key to search within the cdb and will match if they key is present. Default. |
not_match_key |
key to search and will match if it is not present in the database. |
|
match_key_value |
searched for in the cdb. It will be compared with regex from attribute check_value. |
|
address_match_key |
IP address and the key to search within the cdb and will match if they key is present. |
|
not_address_match_key |
IP address and the key to search and will match if it IS NOT present in the database. |
|
address_match_key_value |
IP address to search in the cdb. It will be compared with regex from attribute check_value. |
|
check_value |
regex for matching on the value pulled out of the cdb when using types: address_match_key_value, match_key_value |
Example:
<rule id="80780" level="3"> <if_sid>80700</if_sid> <list field="audit.key" lookup="match_key_value" check_value="write">etc/lists/audit-keys</list> <description>Audit: Watch - Write access</description> <group>audit_watch_write,gdpr_IV_30.1.g,</group> </rule>
The rule will look for "audit.key" in the CDB list. Where it will check if its equal to "write", in which case it will match and trigger a level 3 alert.
info
Extra information may be added through the following attributes:
Default Value |
n/a |
Allowed values |
Any string |
Attribute |
Allowed values |
Description |
type |
text |
This is the default when no type is selected. Additional information about the alert/event. |
link |
Link to more information about the alert/event. |
|
cve |
The CVE Number related to this alert/event. |
|
ovsdb |
The osvdb id related to this alert/event. |
Example:
<rule id="5714" level="14" timeframe="120" frequency="3"> <if_matched_sid>5713</if_matched_sid> <match>Local: crc32 compensation attack</match> <description>sshd: SSH CRC-32 Compensation attack</description> <info type="cve">2001-0144</info> <info type="link">http://www.securityfocus.com/bid/2347/info/</info> <group>exploit_attempt,pci_dss_11.4,pci_dss_6.2,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,nist_800_53_SI.2,</group> </rule>
The rule provides additional information about the threat it detects.
options
Additional rule options.
Attribute |
Description |
---|---|
alert_by_email |
Always alert by email. |
no_email_alert |
Never alert by email. |
no_log |
Do not log this alert. |
no_full_log |
Do not include the |
no_counter |
Omit field |
Example:
<rule id="9800" level="8"> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user</description> <options>no_log</options> </rule>
Note
Use one <options>
tag for each option you want to add.
check_diff
Used to determine when the output of a command changes.
Example:
<rule id="534" level="1"> <if_sid>530</if_sid> <match>ossec: output: 'w'</match> <check_diff /> <options>no_log</options> <description>List of logged in users. It will not be alerted by default.</description> </rule>
mitre
Specifies the MITRE ATT&CK technique ID or IDs that fit in well with the rule.
Required label |
Value |
---|---|
id |
MITRE ATT&CK technique ID. |
Example:
<rule id="100002" level="10"> <description>Attack technique sample.</description> <mitre> <id>T1110</id> <id>T1037</id> </mitre> </rule>
var
Defines a variable that can be used in any place within the same file. It must be defined at the base level of the ruleset, not inside a tagged section.
Attribute |
Value |
---|---|
name |
Name for the variable. |
Example:
<var name="joe_folder">/home/joe/</var>
<group name="local,">
<rule id="100001" level="5">
<if_sid>550</if_sid>
<field name="file">^$joe_folder</field>
<description>A Joe's file was modified.</description>
<group>ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
</group>
BAD_WORDS
<var name="BAD_WORDS">error|warning|failure</var>
BAD_WORDS
is a very used use case of the <var>
option.
It is used to include many words in the same variable. Later, this variable can be matched into the decoders to check if any of those words are in a caught event.
Example:
<var name="BAD_WORDS">error|warning|failure</var>
<group name="syslog,errors,">
<rule id="XXXX" level="2">
<match>$BAD_WORDS</match>
<description>Error found.</description>
</rule>
</group>