Rules with fields from dynamic decoders; how can they be leveraged?

I've been experimenting with dynamic fields in decoders. In particular, I'm interested in adding more fields from web-access-logs, so I've done some local changes in the file "0375-web-accesslog_decoders_local.xml", as follows:

<decoder name="web-accesslog">
    <type>web-log</type>
    <prematch>^\S+ \S+ \S+ \.*[\S+ \S\d+] "\w+ \.* HTTP\S+" </prematch>
</decoder>

<decoder name="web-accesslog-domain">
    <type>web-log</type>
    <parent>web-accesslog</parent>
    <prematch>^\S+.\D+</prematch>
    <regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\.*) HTTP\S+" (\d+) \d+ "\w+" "(\.*)"</regex>
    <order>srcip, protocol, url, id, useragent</order>
</decoder>

<decoder name="web-accesslog-ip-ip">
    <type>web-log</type>
    <parent>web-accesslog</parent>
    <prematch>^\S+ \S+.\S+ |^\S+ \S+:\S+ </prematch>
    <regex>^(\S+) (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\.*) HTTP\S+" (\d+) \d+ "\w+" "(\.*)"</regex>
    <order>srcip2, srcip, protocol, url, id, useragent</order>
</decoder>

<decoder name="web-accesslog-ip">
    <type>web-log</type>
    <parent>web-accesslog</parent>
    <regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\.*) HTTP\S+" (\d+) \d+ "\w+" "(\.*)"</regex>
    <order>srcip, protocol, url, id, useragent</order>
</decoder>

As you can see, I've added some stuff to the regex, so that I will get a "useragent"-field extracted, which I would then like to use in rules to match against, for example:

  <rule id="32011" level="6">
    <if_sid>31101</if_sid>
    <useragent>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</useragent>
    <description>Web scan: nmap version gathering (nmap -sV)</description>
    <info>See https://nytrosecurity.com/2019/01/21/network-scanning-with-nmap/</info>
    <group>scan,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,</group>
  </rule>

The decoder works, as displayed below:

2020/09/15 09:38:03 ossec-testrule: INFO: Started (pid: 32274).
ossec-testrule: Type one log per line.

10.10.0.131 - - [14/Sep/2020:14:25:48 +0200] "OPTIONS / HTTP/1.1" 405 157 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

**Phase 1: Completed pre-decoding.
       full event: '10.10.0.131 - - [14/Sep/2020:14:25:48 +0200] "OPTIONS / HTTP/1.1" 405 157 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"'
       timestamp: '(null)'
       hostname: 'nibutani'
       program_name: '(null)'
       log: '10.10.0.131 - - [14/Sep/2020:14:25:48 +0200] "OPTIONS / HTTP/1.1" 405 157 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '10.10.0.131'
       protocol: 'OPTIONS'
       url: '/'
       id: '405'
       useragent: 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)'

**Phase 3: Completed filtering (rules).
       Rule id: '31101'
       Level: '5'
       Description: 'Web server 400 error code.'
**Alert to be generated.

However, when trying to create the rule displayed above, ossec-logtest trows an error:

2020/09/15 09:19:31 ossec-testrule: ERROR: Invalid option 'useragent' for rule '32011'.
2020/09/15 09:19:31 ossec-testrule: CRITICAL: (1220): Error loading the rules: 'etc/rules/web_rules.xml'.

My question is simply; is it possible to add fields like this and use them in the rules in the way I want to here, or is it simply not possible? In that case, does that mean that the only option is to match against the build-in field-names? I've been reading in the documentation (linked below), but there is only a mention of dynamic fields in decoders, but not really in rules. The "field"-option in the rules syntax section seems to suggest that this should work though. Thanks in advance!

wazuh / wazuh-ruleset

Rules with fields from dynamic decoders; how can they be leveraged? #750