9/1/24, 11:09 Rules Syntax - Ruleset XML syntax · Wazuh documentation

Version 4.7 (current)

/ User manual / Ruleset / Ruleset XML syntax / Rules Syntax

Rules Syntax
The Wazuh Ruleset combined with any customs rules is used to analyze incoming events and generate alerts when appropriate.
The Ruleset is in constant expansion and enhancement thanks to the collaborative effort of our developers and our growing
community.

Our aim is to provide the best guidance possible for anyone who may be looking into developing their own custom rules. Remember
that you can always contribute to our community.

Overview
The xml labels used to configure rules are listed here.

Option Values Description

rule See table below. Its starts a new rule and its defining options.

It will attempt to find a match in the log using sregex by default,

match Any regular expression.
deciding if the rule should be triggered.

regex Any regular expression. It does the same as match , but with regex as default.

It will match with logs that have been decoded by a specific

decoded_as Any decoder's name.
decoder.

category Any type. It will match with logs whose decoder's type concur.

Name and any regular It will compare a field extracted by the decoder in order with a
field
expression. regular expression.

It will compare the IP address with the IP decoded as srcip .

srcip Any IP address.
Use "!" to negate it.

It will compare the IP address with the IP decoded as dstip .

dstip Any IP address.
Use "!" to negate it.

It will compare a regular expression representing a port with a

srcport Any regular expression.
value decoded as srcport .

It will compare a regular expression representing a port with a

dstport Any regular expression.
value decoded as dstport .

It will compare a regular expression representing a data with a

data Any regular expression.
value decoded as data .
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-rule 1/37
9/1/24, 11:09 Rules Syntax - Ruleset XML syntax · Wazuh documentation

Option Values Description

It will compare a regular expression representing an extra data

extra_data Any regular expression.
with a value decoded as extra_data .
/ User manual / Ruleset / Ruleset XML syntax / Rules Syntax
It will compare a regular expression representing a user with a
user Any regular expression.
value decoded as user .

It will compare a regular expression representing a system name

system_name Any regular expression.
with a value decoded as system_name .

It will compare a regular expression representing a program

program_name Any regular expression.
name with a value pre-decoded as program_name .

It will compare a regular expression representing a protocol with

protocol Any regular expression.
a value decoded as protocol .

It will compare a regular expression representing a hostname

hostname Any regular expression.
with a value pre-decoded as hostname .

Any time range. e.g.

time It checks if the event was generated during that time range.
(hh:mm-hh:mm)

monday - sunday, weekdays, It checks whether the event was generated during certain
weekday
weekends weekdays.

It will compare a regular expression representing an ID with a

id Any regular expression.
value decoded as id

It will compare a regular expression representing a URL with a

url Any regular expression.
value decoded as url

It will compare a regular expression representing a location with

location Any regular expression.
a value pre-decoded as location .

Any String or regular It will compare a string or regular expression representing an

action
expression. action with a value decoded as action .

It will compare a regular expression representing a status with a

status Any regular expression.
value decoded as status .

It will compare a regular expression representing a GeoIP source

srcgeoip Any regular expression.
with a value decoded as srcgeoip .

It will compare a regular expression representing a GeoIP

dstgeoip Any regular expression.
destination with a value decoded as dstgeoip .

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-rule 2/37
9/1/24, 11:09 Rules Syntax - Ruleset XML syntax · Wazuh documentation

Option Values Description

A list of rule IDs separated It works similar to parent decoder. It will match when a rule ID on
if_sid
by commas or spaces. the list has previously matched.
/ User manual / Ruleset / Ruleset XML syntax / Rules Syntax
if_group Any group name. It will match if the indicated group has matched before.

It will match if that level has already been triggered by another

if_level Any level from 1 to 16.
rule.

Similar to if_sid but it will only match if the ID has been

if_matched_sid Any rule ID (Number).
triggered in a period of time.

Similar to if_group but it will only match if the group has been
if_matched_group Any group name.
triggered in a period of time.

same_id None. The decoded id must be the same.

different_id None. The decoded id must be different.

same_srcip None. The decoded srcip must be the same.

different_srcip None. The decoded srcip must be different.

same_dstip None. The decoded dstip must be the same.

different_dstip None. The decoded dstip must be different.

same_srcport None. The decoded srcport must be the same.

different_srcport None. The decoded srcport must be different.

same_dstport None. The decoded dstport must be the same.

different_dstport None. The decoded dstport must be different.

same_location None. The location must be the same.

different_location None. The location must be different.

same_srcuser None. The decoded srcuser must be the same.

different_srcuser None. The decoded srcuser must be different.

same_user None. The decoded user must be the same.

different_user None. The decoded user must be different.

same_field None. The decoded field must be the same as the previous ones.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-rule 3/37
9/1/24, 11:09 Rules Syntax - Ruleset XML syntax · Wazuh documentation

Option Values Description

different_field None. The decoded field must be different than the previous ones.

same_protocol
/ User manual / Ruleset / None.
Ruleset XML syntax / Rules SyntaxThe decoded protocol must be the same.

different_protocol None. The decoded protocol must be different.

same_action None. The decoded action must be the same.

different_action None. The decoded action must be different.

same_data None. The decoded data must be the same.

different_data None. The decoded data must be different.

same_extra_data None. The decoded extra_data must be the same.

different_extra_data None. The decoded extra_data must be different.

same_status None. The decoded status must be the same.

different_status None. The decoded status must be different.

same_system_name None. The decoded system_name must be the same.

different_system_name None. The decoded system_name must be different.

same_url None. The decoded url must be the same.

different_url None. The decoded url must be different.

same_srcgeoip None. The decoded srcgeoip must the same.

different_srcgeoip None. The decoded srcgeoip must be different.

same_dstgeoip None. The decoded dstgeoip must the same.

different_dstgeoip None. The decoded dstgeoip must be different.

Provides a human-readable description to explain what is the

description Any String. purpose of the rule. Please, use this field when creating custom
rules.

list Path to the CDB file. Perform a CDB lookup using an ossec list.

info Any String. Extra information using certain attributes.

options See the table below. Additional rule options that can be used.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-rule 4/37
9/1/24, 11:09 Rules Syntax - Ruleset XML syntax · Wazuh documentation

Option Values Description

check_diff None. Determines when the output of a command changes.

group
/ User manual / Ruleset / Any String.
Ruleset XML syntax / Rules SyntaxAdd additional groups to the alert.

mitre See Mitre table below. Contains Mitre Technique IDs that fit the rule

Name for the variable. Most Defines a variable that can be used anywhere inside the same
var
used: BAD_WORDS file.

group
Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard.

The default Wazuh ruleset already includes rules that use groups like syscheck, , attack, , and syslog, . As an example, you
can filter alerts for these categories by querying rule.groups: attack or rule.groups: (syscheck OR syslog) in the Wazuh
dashboard.

Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the <group

name="GROUP1_NAME,GROUP2_NAME,"> element. For example:

<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.
</description>
</rule>
</group>

You can also specify additional groups by including the <group> element within the rule definition. For example:

<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.
</description>
<group>syscheck,fim_db_state,</group>
</rule>
</group>

To define rules that trigger only if another rule in a specific group has triggered, check the if_group and if_matched_group
options.
rule
<rule> is the label that starts the block that defines a rule. In this section, different options for this label are explained.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-rule 5/37