Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wazuh ruleset specify behavior with more than one conditional #7484

Open
fcaffieri opened this issue Jun 28, 2024 · 0 comments
Open

Wazuh ruleset specify behavior with more than one conditional #7484

fcaffieri opened this issue Jun 28, 2024 · 0 comments
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@fcaffieri
Copy link
Member

Description

It is necessary to add to the documentation, such as the treatment of conditionals when having more than one in a rule.

For example:

<rule id="222240" level="15" frequency="100" timeframe="300">
 <if_matched_sid>60122</if_matched_sid>
 <field name="win.eventdata.redacted1" negate="yes">Redacted1</field>
 <field name="win.eventdata.redacted2" negate="yes">Redacted2</field>
</rule>

It must be specified somewhere that for said rule to be triggered, it must meet all the conditionals. If any rule is not met, it will not be triggered.
@fcaffieri fcaffieri added level/task Task issue type/enhancement Enhancement issue labels Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task Task issue type/enhancement Enhancement issue
Projects
Release 4.10.0
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fcaffieri