You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On Wazuh Rule Syntax documentation, the section does not mention which fields can be utilized or not.
We know that:
agent.* properties are not usable for the <field> in rules.
dstuser, srcip are not usable as they are static values.
full_log is not usable, even though it is possible to write a rule without getting a syntax warning.
There are probably others too because they are generated on runtime as a part of enrichment and probably appears after rule check. Internals might change but this is important for users to write rules that work.
The text was updated successfully, but these errors were encountered:
zbalkan
changed the title
Add explanation on Rules Syntax documentationwhich fields can('t) be used
Add explanation on Rules Syntax documentation which fields can('t) be used
Mar 22, 2023
On Wazuh Rule Syntax documentation, the section does not mention which fields can be utilized or not.
We know that:
agent.*properties are not usable for the<field>in rules.dstuser,srcipare not usable as they arestaticvalues.full_logis not usable, even though it is possible to write a rule without getting a syntax warning.There are probably others too because they are generated on runtime as a part of enrichment and probably appears after rule check. Internals might change but this is important for users to write rules that work.
The text was updated successfully, but these errors were encountered: