[SOLVED] Custom rules for WAZUH File integrity monitoring not present in Kibana FIM module (but are present under all events)

Custom rules for WAZUH File integrity monitoring not present in Kibana FIM module (but are present under all events)

I am following the example of Wazuh FIM for Changing severity of the events. After applaying that rule I start receiving on Kibana events under new rule id: 100345, which is what I wanted (under all events section). But I stop receiving original events for example event of rule 550 (for checksum changed) I am assuming becuase of that new rule. So because of that also Kibana FIM module does not show any of the events.

So my questions are:

Can I configure WAZUH that booth events are posted(local 100345 and original 550)?
Can I configure FIM that also use events from my new local rule with id 100345?

Solution

It wouldn't be correct to raise two alerts for the same event because it could be confusing (duplicated alert may seem like two different security events instead of just one).

The example proposed in Wazuh documentation overwrites ALL FIM events that match the given pattern. That means unifying all possible FIM events into a single, common, high-level alert.

That happens because the example uses the field if_group with value syscheck and that groups all FIM events.

The best solution if you want to keep the meaning of the different FIM alerts (for example, to differentiate an "Integrity checksum changed" from "File deleted" one on your custom, critical path) you need to write custom high-level alerts for each different event and make them children of the original ones using if_sid field instead of if_group.

For example, if you want "Integrity checksum changed" alerts with level 12 for /my/important/path files, you could create the custom alert:

<rule id="100345" level="12">
  <if_sid>550</if_sid>
  <match>/my/important/path</match>
  <description>CRITICAL: Integrity checksum changed for an important file!</description>
</rule>

That would modify the alert "Integrity checksum changed" when the path matches your critical path and would keep all the other FIM alerts as default.

If you want to add another one, for example, for deleted files, you could check the ossec rules at Wazuh official ruleset and create new ones based on the original using the if_sid (parent id) value and giving them the id of the rule that you want to improve. Of course, if an event doesn't match your defined path, the default rule will still generate alerts with the default level for these files.

This solution also allows you to define a different description for different events or even different alerts levels.

edit

If you want the new alerts to be displayed in the FIM Kibana dashboard you just need to add the required groups to them, for example, by coping the parent rule's groups.

<rule id="100345" level="12">
  <category>ossec</category>
  <if_sid>550</if_sid>
  <match>/tmp</match>
  <description>CRITICAL: Integrity checksum changed for an important file! $(syscheck.path)</description>
  <group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>